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IN THE HIGH COURT OF JUDICATURE AT BOMBAY 
ORDINARY ORIGINAL CIVIL JURISDICTION 

PUBLIC INTEREST LITIGATION NO. OF 2012 


Vickram Crishna & Ors ... Petitioners 

Versus 

Unique Identification Authority of India & Ors. ...Respondents 


SYNOPSIS 


Date 

Particulars 

04/12/2006 

An empowered group of Ministers (EGoM) was 
constituted and the twin proposals to create 
both a National Population Register by an 
amendment to the Citizenship Rules and UID 

were brought into the purview of this 
empowered group of Ministers (EGoM). 

04/1 1/2008 

The Committee of Secretaries and the 

Empowered group of Ministers' made 

recommendations for the constitution of the 

Unique Identification Authority of India. 

28/01/2009 

The Planning Commission notified the 

recommendations for the constitution of the 

Unique Identification Authority of India as an 
attached office under the aegis of Planning 

Commission with an initial core team of 115 

officials. , 


The Unique Identity Project (the “UID”), a 

brainchild of the Planning Commission, was 
announced with the ambitious agenda of 

collecting and documenting biomatrix and other 

information of the entire Indian population. 



29/01/2009 

The government came with a notification 
creating the Unique Identity Authority of India' 
(U.I.D.A.I.). an agency established under the 
aegis ot the Planning Commission to issue 

Unique Identity Numbers (UID) to every Indian 
citizen. 

23/07/2009 

The Government appointed Shri. Nandan M. 
Nilekani as Chairman of the Unique 
Identification Authority of India, in the rank 
and status of a Cabinet Minister for an initial 
tenure of five years and Mr. Nilekani has joined 
the UIDAI as its Chairman on 23/07/2009. 

30/07/2009 

An advisory council presided by the Prime 
Minister was set up on 30 July 2009 to advise 
the UIDAI on Programme, methodology and 
implementation to ensure co-ordination 
between Ministries/Departments, stakeholders 
and partners. 


The declared aim of the aadhaar numbers 1 
scheme is to streamline the delivery of services 
to Indian residents and avoid corruption and 
misuse of public funds and subsidies. 


UIDAI was created through an executive fiat to 
enable the process of issuing UID cards across 
India, without any rules, procedures, or 
guidelines. Its further extension, 

universalisation and implementation across the 
nation remains must contingent upon both an 
initial success together alongwith legislative 
passage of the proposed National Identification 
Authority of India Bill, 2010 

April 2010 

Unique Identification Authority of India issued 
a UID Strategy Overview. 



April 2011 

Government of Maharashtra through its GR 
dated April 2011, plans to make Aadhaar a 
compulsory requirement for government 
employees for accessing their salary benefits. 

12/09/2011 

A detailed alternative note that critically 
explains the functioning of the UID titled “UID 
for Dummies” was authored by Simi Chacko 
and Pratiksha Khanduri. 

26/09/201 ] 

fhe Petroleum Ministry has made Aadhaar a 
mandatory condition for LPG users by a 
Gazette Notification dated 26/09/2011. 

13/12/2011 

The Standing Committee of the Parliament has 
rejected the present draft of the NIDAI as not 
meeting the required constitutional standards by 
a report dated 13/12/2011. 


In complete disregard to both, UID numbers 
without any safeguards against the tremendous 
breach of privacy entrenched in the scheme as it 
presently stands are being issued across the 
country without any legislative framework. 


Hence the petition. 


Points to be urged: 


1. Whether the UIDAI-Aadhaar scheme as it presently stands as a 
mere executive fiat, is illegal, arbitrary and unconstitutional by 
granting wide, unrestricted powers to an unaccountable 
independent body knows as UIDAI, and also to private agencies; 
leading to huge breaches on the right to privacy and dignity of 
Indian citizens? 

2. Whether reasonable restrictions on fundamental rights can only be 
through legislative mandate and the UID scheme makes invasion 
into fundamental rights without a legislative mandate and is hence 
bad in law? 

3. Whether the co-extensive executive power exercised to implement 
UIDAI can be untrammeled and function towards restricting 
fundamental rights without any due procedure, guidelines and 



safety mechanism, which can only be ensured through a statutory 
framework? 


4 . 


Whether the mandatory enforcement UIDAI-Aadhaar aehema 
uontravenes Artiola a 1 by restricting the right to decision matting. 

personal integrity, choice and dignity? * 


5. Whether the impugned notification dated 4 th November 2008 is 
illegal, arbitrary and bad in law for setting out an extensive task of 
launching UID way beyond the executive competence, without 
any guidelines, rules and procedure? 


6. Whether the impugned notification 4 lh November 2008 is illegal, 
arbitrary and unconstitutional and in breach and contravention of 
Article 14 for assigning the most essential function of data 
collection via enrolment for Aadhaar to private agencies? 


7. Whether the notification 4 ,h November 2008 is further illegal as it 

delegates excessive powers with the UIDAI without any 

guidelines or procedure, leading to further unrestricted delegation 

of powers to private parties creating great potential for data 

leakages, and breaches of sensitive private data leading to Indian 
Citizens? 


8. Whether this convergence of silos of information will completely 
abolish the veneer of privacy that protects the daily lives of 
individuals by the cross-referencing service usage of a particular 
individual through a single numeric bio-metric identity has huge 
implications for building State inroads into every private activity 
and service accessed by that individual, this is further complicated 
by the possibility of private actors also accessing similar 
information? 


9. Whether the right to privacy as upheld within the right to life in 
Article 21, and restriction if any must be justified through a 
rational and reasonable statutory procedure? 


Acts and Regulations Relied on: 

1. Constitution of India 
Judgments relied on: 

1) Kharak Singh v. State of Uttar Pradesh 

2) Gobtnd v. State of Madhya Pradesh 

3) PUCL v Union of India (1997) 1 SCC 301 

4) Sharda v Dharampal (2003) 4 SCC 493 

5) R. Rajgopal v. State of Tamil Nadu (1994) 6 SCC 632 


6) Phoolan Devi v. Shekhar Kapur (57 (1995) DLT154) 

7) Khushwanr Singh v. Maneka Gandhi AIR 2002 Del 58. 

Additional judgments will be relied on at the time of argument. 



Advocate for the Petitioner 
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PUBLIC INTEREST LITIGATION NO. OF 2012 

In the matter of the public 
interest of protecting the rights 
of privacy, autonomy, dignity 
and free and full enjoyment of 
life of the citizens of India, 

i . 1 

guaranteed under Articles 19 
and 21 ^ of the Indian 
Constitution; 

AND 

In the matter of non-voluntary 
and premature implementation 
of “Aadhaar” in strict breach of 
Article 21 of the Indian 

Constitution 

AND 

In the matter of excessive 
delegation of essential function 
without any guidelines, rules or 
police framework in 



Notification Dated 29 th January 
2009 creating the UIDAJ 

AND 

In the matter of potential 
breaches of the right to privacy 
of citizens of India, through the 

means of data collection, 
storage and sharing by the 
UIDAI, without any legitimate 
and rational nexus of improving 
the public welfare system 

AND 

In the matter of standing 
committee of the Parliament 
Report dated 13 th December 
2010 rejecting the proposed 
National Identification 

Authority of India Bill, 2010 

1. Vickram Crishna, aged 60 yrs, 

Residing at A31 Queens Apts, 

Pali Hill, Bandra, Mumbai 400050 
E mail, vvcrisfewa@amail.com 


Pan No: /\£vJP£ 173 h rt 



2. Kamayani Bali Mahabal, aged 40 years, 


t 




Residing at 503, Juhu Bahart CHS, 
Gandhi Gram Road, 

Juhii, Mumbai 400 059 

Email kamavm@qmail.com 

PAN N t. : A H f P 8 O IBS f 
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3. Yogesh Pawar, aged 43 years. 


Residing at I8B/704, Bimbisar Nagar, 

Near SRP camp. Western Express Highway, 

Goregaon E, Mumbai 65 

Email voqeshpl969@amail.com 
PAN No: ALC 7( P 


4. Dr Nagarjuna G., aged 49 years 

Residing at 502, Bhaskara, TIFR Residential Complex, 
Homi Bhabha Road, Colaba, 


Mumbai 4UUU05 


RK N*: 36il5504rj 

Email ra makumarr@ qmail com £ ., 

PAN No; ACKP 40 I 8 & p, ^ ^ ^ 3 
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Prof. R. Ramkumar, aged 37 years, Pan No '/kj wIpk Zs 
Residing at B2/12, Reserve Bank of India, 

Officer’s Quarters, Chakala, 

Andheri-East, 

Mumbai 400 093 
ph /Vo ; 336 ,3I 
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Versus 

1. UNIQUE IDENTIFICATION AUTHORITY OF INDIA, 
Planning Commission, 

Government of India, 

3 rd Floor, Tower II, 

Jeevan Bharati Building, 

Connaught Circus, 

New Delhi 110001 



2. Mr. A. B. Pandey. 

Deputy Director General, UIDAI, 

Mumbai Regional Office, 

5 th & 7 th Floor, MTNL Building, 

BD Somani Marg, Cuffe Parade, 

Mumbai 400 005 

2. The Chairperson, Planning Commission of India, 
Yojana Bhavan, Sansad Marg, 



New Delhi. 


3. National Informatics Centre 

Department of Information Technology, 

Ministry ol Communications and Information Technology, 
A-B!ock, CGO Complex, 

Lodhi Road, ,New Delhi - 110 003 India 

4. Union of India 

Through the Ministry of Finance 

New Delhi. /•/ 0 0 (7 I 

5. Union of India 

Through the Ministry of Home Affairs 

New Delhi. - / / o a o / ... RESPONDENTS 

TO 

THE HON’BLE CHIEF JUSTICE 

AND THE OTHER HONOURABLE PUISNE 

JUDGES OF THIS HON’BLE COURT 


THE HUMBLE PETITION 
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OF THE PETITIONER 
ABOVENAMED 

MOST RESPECTFULLY SHOWETO 
PUBLIC INTEREST LITIGATION PETITION 

1. Particulars of the cause/ order against which the Petition is 
made: T he Petitioners are filing this public interest litigation to 
challenge the Notification dated 29 lh January 2009 that created 
the Unique Identity Authority of India (U.I.D.A.I.), an agency 
established under the aegis of the Planning Commission to issue 
Unique Identity Numbers (U1D) to every Indian citizen. 


2. The Petitioner submits that UIDAI was created through an 
executive fiat to enable the process of issuing UID cards across 

i 

India, without any rules, procedures, or guidelines. Its further 
extension, universalisation and implementation across the 
nation remains must contingent upon both an initial success 
together alongwith legislative passage of the proposed National 
Identification Authority of India Bill, 2010 (hereinafter referred 
to as the NIDAI Bill). The Petitioners submit that in further 
developments by a report dated 13 th December 2011, the 
Standing Committee of the Parliament has rejected the present 
draft of the NIDAI as not meeting the required constitutional 

% 


standards. 



3. Howevei, in complete disregard to both, UID numbers without 
any safeguards against the tremendous breach of privacy 
entrenched in the scheme as it presently stands are being issued' 

i 

acioss the country without any legislative framework. Aside 
from this an ostensively optional and a premature scheme is 
being converted into a mandatory requirement with the aid of 
different government agencies and state governments. 

- PARTICULARS of the petitioner s 

1. Petitioner No. 1 is an engineer and manager by training. 
He is engaged with an ongoing project to understand 
issues around awareness of personal privacy rights across 
Asia. In the course of earlier globally recognised projects 
to develop specialised software for the profoundly 
disabled and communication solutions for poverty- 
stricken ruial and urban dwellers, he has together with 
colleagues observed empirically that privacy concerns are 
palpable across different strata of society. The Petitioner 
submits that the present move to tag every Indian resident 
with unique numbers, a massive project of unknown 
scope and questionable possibility of success, is made 
increasingly dangerous as it may lead to 
personal information by third parties. 


access to 
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2. 


Petitioner No. 2 is a human rights activist with 
background in clinical psychology, journalism and law. 
She is an expert on gender, health and human rights and 
part of various networks and campaigns related to these 
issues. She has been active in 'Say No to UID" campaign 
which has disseminated much needed information about 
the UID in various forums including colleges, slums and 
NGOs in order to generate a much wider public 

discussion on the subject. 


3 




Petitioner No. 3 is a social work graduate from Tata 
Institute of Social Sciences. He has been a counsellor for 
two years and then crossed over into Journalism. For the 
past 15 years he has been a journalist with The Indtan 
Express, rediff.com , NDTV and DNA. His forte has been 
reporting on issues of development and public interest. 
Since the launch of UID the Petitioner has been reporting 
on the issue through both news reports and columns 


against it and the regime it unleashes. 


4 . 


Petitioner No. 4 is one of the founding members of the 

T , and 

FSF India 


is curr 


rently serving as its Chairperson 


. He holds a faculty 


at 


position 

,i Bhabha Centre for Science Education, TIFR m 

% 


Horn! 



Mumbai. He is an author and maintainer of the GNU 


project GNOWSYS, and leads the gnowledge.org lab in 
Mumbai. He holds an M.Sc. (Biology), M.A. 
(Philosophy) from the University of Delhi and a Ph.D. 
from the Indian Institute of Technology Kanpur in the 
area of Philosophy of Science. He advocates the 

appropriate use of technology and is opposed to the 

< 

indiscriminate deployment of technologies in the UID 
project by U1DA1 or its agents without a feasibility study 
or assessment of its risks. 

Petitioner No 5 is an Associate Professor at the Tata 
Institute of Social Sciences, Mumbai. His official 
webpage is at http://www.tiss.edu/facultv/Ramakumar . 
He is an economist by training. He holds a PhD in 
Quantitative Economics from the Indian Statistical 
Institute, IColkata and has worked and taught at the El 
Colegio de Mexico, Mexico City and the Centre for 
Development Studies, Trivandrum. His areas of interest 
are development economics, agricultural economics and 
rural development. He has published research papers and 
articles in many peer-reviewed international journals and 
books, He has been a close observer of the UID project 
from 2009 onwards and has written articles in The 
Hindu and Frontline on the subject. His research paper 
on the UID project titled ’’Unique ID Project in India: A 
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Skeptical Note" was published in 2010 by the 
international Springer journal, "Lecture Notes in 

Computer Science". 

6. Respondent No. 1 is the impugned UIDAI authority 
which functions under an executive authority, through the 
impugned executive notification dated 28 January 2009. 
Respondent No. 2 is the regional UIDAI authority for the 
Mumbai Region, responsible for registering and 
enrollment for the UID scheme through the help of 
government agencies and private parties. Respondent No. 

3 is the Planning Commission of India which has played 
a crucial role in conceiving the UID scheme and its 
current planning and implementation. 

7. Respondents Nos. 4- 6 are different agencies and 
ministries that have independently expressed concerns 
about duplication, lack of safeguards, excessive 
expenditure with the present UID scheme before the 
Standing Committee of the Parliament. Quoting trom the 
report of the Standing Committee: 

"The Committee regret to observe that despite the 
presence of serious difference of opinion within the 

5 



Government on the UID scheme as illustrated below, 
the scheme continues to be implemented in an 

i The Ministry of Finance (Department of 
Expenditure) have expressed concern that , 
lack of coordination is leading to 
duplication of efforts and expenditure 
among at least six agencies collecting 

i 

information (NPR, MGNREGS, BPL census, 
UIDAI, RSBY and Bank Smart Cards); 

H. The Ministry of Home Affairs are stated to 
have raised serious security concern over • 
the efficacy of introducer system, 
involvement of private agencies in a large 
scale in the scheme which may become a 

K 

threat to national security; uncertainties in 
the UIDAIDs revenue model; 

77/. The National Informatics Centre (NIC) have 
pointed out that the issues relating to 
privacy and security of UID data could be 
better handled by storing in a Government 
data centre; 

i 

/v. The Ministry of Planning have expressed 
reservation over the merits and functioning 
of the UIDAI; and the necessity of collection 
of iris image; 


v. Involvement of several nodal appraising 
agencies which may work at cross-purpose, 

and 

vi. Several Government agencies are collecting 
biometric(s) information in the name of 
different schemes. ” 

All the Respondents are amenable to the Writ Jurisdiction 
of this Hon’ble Court. 


tt nF.f.T.ARATION AN D UNDERTAKING OF PE TI TIONER S 

1. That the present Petition is being filed in public interest. 
Petitioners No. 1,2, 3,4 & 5 do not have any personal interest in 

the matter. 

2. That the entire litigation costs, including the Advocates fees and 
other charges are being borne by the Petitioners. 

3. That a thorough search has been conducted in the matter raised 
through the Petition and all the material concerning the same 


has been annexed to this Petition. 

4. That to the best of the Petitioners knowledge and research the 
issue raised was not dealt with or decided and a similar or 
identical petition was not filed earlier by the Petitionss. 

5. That the Petitioners have understood that in the course of 
hearing of this Petition the Court may require any security to be 


* J2> 




furnished towards costs or any other charges and the Petitioners 

i 

shall have to comply with such requirements. 

6. In the absence of parliamentary approval, and in the light of the 
scathing review of the performance of the UIDAI by the 
Parliamentary Standing Committee on Finance, citizens are left 
with no alternative but to approach the Hon'ble Court to place 
an embargo on Aadhaar, until it undergoes full Parliamentary 
scrutiny to evaluate its effectiveness and Constitutionality. 

7. The Petitioners submit that through this PIL they represent a 
much wider discontent with the UID scheme that has been 
expressed in numerous loras. A recent letter by prominent 
writers, lawyers, historians, and judges has argued strongly for 

constitutional safe guards in UID. To reproduce the content of 
the letter below: 

“A project that proposes to give every resident a 
“unique identity number” is a matter of great 
concern for those working on issues of food 
security, NREGA, migration, technology, 
decentralisation, constitutionalism, civil liberties 
and human rights. The process of setting up the 
Unique Identification Authority of India (UIDAI) 
has resulted in very little, if any, discussion about 
this project and its effects and fallout. It is intended 

■S 



to collect demographic data about all res ideals m 


the country. 

Before it goes any further, we consider it 
imperative that the following be done: 


(i) Do a feasibility> study: There are 
claims made in relation to the project, about 
what it can do for the PDS and NREGA, for 
instance, which does not reflect any 
understanding of the situation on the 
ground. The project documents do not say 
what other effects the project may have, 
including its potential to be intrusive and 
violative of privacy, who may handle the 

data. 


(ii) Do a cost-benefit analysis. It is 
reported that the UIDAI estimates the 
project will cost Rs. 45,000 Crores to the 
exchequer in the next four years. This does 
not seem to include the costs that will be 
incurred by the registrars, enrollers, the 
internal systems costs that the PDs system 



will have to budget if it is to be able to use 
the UID, the estimated cost to the end user 
and to the number holder. 

(Hi) In a system such as this, a mere 
statement that the UIDAI will deal with the 
security of the data is obviously insufficient. 
How does the UIDAI propose to deal with 
data theft? 

(iv) The involvement of firms such as 
Ernst & Young and Accenture PLC raises 
further questions about who will have access 
to the data, and what that means to the 
people of India. The questions have been 
raised which have not been addressed so 
far, including those about: 

(i) Privacy: It is only now that the Department of Personnel 
and Training is said to be working on a draft of a privacy 
law, but nothing is out for discussion, 


(li) Surveillance: This technology), and the existence of the 
UID number, and its working, could result in increasing 


the potential for surveillance, 


(iii) Profiling, 

(iv) Tracking, and 

(v) Convergence, by which those with access to state power, 
as well as companies, could collate information about 
each individual with the help of the UID number. 
National IDs have been abandoned in the US, Australia 
and the UK. The reasons have . predominantly been costs 

and P rivacy - 

If it is too expensive for the US with a population of 308 

million, and the UK with 61 million people, and Australia 

with 21 million people, it is being asked why India thinks 

it can prioritise its spending in this direction. In the UK 

the home secretary explained that they were abandoning 

the 

project because it would otherwise be "intrusive 
bullying” by the State, and that the government intended 
to be the "servant” of the people, and not their 


master”. Is there a lesson in it for us? 




This is a project that could change the status of the 
' people in this country, with effects on our security and 

constitutional rights. So a consideration of all aspects of 
the project should be undertaken with this in mind. 


\ 

\ 

I 

\ 


\ 


\ 

\ 

* 
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We, therefore, ask that the project be halted; a feasibility 
study be done covering all aspects of this issue; experts 
be tasked with studying its constitutionality; the law on 
privacy be urgently worked on (this will affect matters 
way beyond the UID project); a cost-benefit analysis be 
done; a public, informed debate be conducted before any 
such major change be brought in. 
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Trilochan Sastry, 
Jagdeep Chhokar, 
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£ 


and others. ” 
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Till date there is no response from the Respondents to numerous 
such representations. Copy of the aforesaid letter is annexed 

hereto and marked as Exhibit A . 


HI. Issues: 

i. The rejection nf the DID Scheme as re presented through the 
NIDAI Bill bv the Standing Committee of the Parliament, 
calls for an immediate cessation of th e executive scheme of 

UID. 

ii. AadhaarAJIDscheme needs to be quashed for breach of Articles 
14 , 15, 19 and 21 of the Indian Constitution. 

iii. The Aadhaar numbers scheme as it stands is unconstitutional as 
it vests in the State immense power to monitor the activities of 
Indian residents and violate their fundamental right to privacy. 

iv. There is no rational nexus between the collation and 
convergence of personal data of every citizen and the stated 
objective of UID, which is primarily to improve the distribution 

of welfare services. 

v. Given that biometrics cannot succeed in creating a unique 
identification, the objective of non-duplication cannot rationally 
be achieved by invasive means of collecting personal 
information, which is a grave beach of the right to privacy.Any 
subsequent tampering of the biometric information contained in 
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I ; the proposed database of personal infomtation will result in 

!|! “ nprecedente <i damage to the right to life and liberty of the 
|l' j affected person or persons. 

jj} ; The KChn0l0gy ad0p,ed b * UTOAI for the capture of biometric 
jj r! infomtation ie digital fingerprint recording, is known to be 

I inSUffiCimtIy to *““*« ■« =" identifier. An additional 

i bi ° metriC iris ““ning, has been found to be too 

| expensive to be universally deployed. Thus the use of biometric 

| ; ideMification ,0 “"itmaly authenticate and verify the identities 

|f: j tmm r “ iding in India > “P™'ds of 130 crore pemons at the 
y tb * s Pedtion, is unsuitable, leaving UIDAI's 

If: 1 PrOPOSed SOlU,i0n "> ,ha of issuing persons in India 
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| unique identity numbers infructuous and necessitating cessation 
ji i - °fdiis risky, invasive and expensive project. 

f ™' C ° ,leCti0n ° f da,a * outsourcing enrolment for Aadhaar 

V i i 


I m a * s’ t v ^ auu cApeni 

.. 

|| r VII. Collection of data by outs 

|! ? . has hu § e implications on privacy 


I f!® - Convergence and collation of personal infomtation in a 

digital form and unrestricted access to such infomtation by foe 
National Intelligence Grid, without any legislated and 
constitutional safe guards is a grave breach of the right to 

privacy enshrined in Article 21 of the Constitution. 

f' Sh ° Uld 1116 ^ n0t in,ervene *o P« an embargo on Aadhaar, 
until it undergoes parliamentaiy scrutiny to evaluate its 
effectiveness and constitutionality? 
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x. The non-mandatory nature of implementation of Aadhaar, 
through excessive delegation of powers to sub-registrars under 
the scheme has both gone beyond the voluntary nature of the 
scheme, and created greater potential for leakage and misuse of 
sensitive personal information; without any legislative 
safeguards. 


\ 
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IV, FACTS IN BRIEF CONSTITUTING THE CASE. 

1. The Unique Identity Project (the “UID”), a brainchild of the 
Planning Commission, was announced with the ambitious 
agenda of collecting and documenting biometric and other 
information of the entire Indian population. To this end, the 
Planning Commission also set up an independent authority, 
through an executive order of the Central, Government, with 

to 

the mandate of implementing the UID. UID aims at 
becoming the primary basis for efficient delivery of welfare 
schemes by converting itself into a statutory corporate body 
which would go by the name of the National Identification 
Authority (the “Authority”). 


2. Unique Identity Number is in addition to other identities and 
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is issued to all tire citizens from time to time like PAN Card, 
Passport, Ration Card, Driving License, BPL Cards, NREGA 
Card and similar cards issued by .both State and Central 
Government. However, unlike these need based identities 
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issued by the government to various citizens of India, the 

UTD number is issued to every resident in India. It is stated 

that the said identity number is an option that a resident can 

« 

choose to take as it would be easy to authenticate a person’s 
identity anywhere and thus is portable. The identity will be 
stored in a central database with individuals biometric and 
demographic data linked to a randomly generated unique 
number. The identity would be authenticated by querying the 
database. Thus, it may be seen that even a person possessing 
the UID or AADHAAR cai*d cannot authenticate his or her 
identity, but only those in charge of the UID database have 
the means and authority to authenticate the person’s identity. 

The 12 digit number would be assigned as UID to every 
resident would be integrated with biometric and demographic 
data of the person. Demographic data here means the details 
of the person that is his name, name of the father (only in 
case of a child below the age of five years), age, residential 
address, telephone number, email address, details of bank 
accounts.Biometric data is collection of digitized images of 
all the fingerprints and scanning of irises and image of the 
face.A copy of the application form is annexed hereto arid 

marked as Exhibit B .Copy of the UID Strategy Overview QU#. 
dated April 2010 issued by Respondent No. 1 is annexed 
hereto and marked as Exhibit C . Copy of a detailed OH- <-• 
alternative note that critically explains the functioning of the 


UID titled "UID for Dummies” authored by Simi Chacko and 
Pratiksha Khanduri dated 12 th September 2011, is attached 

hereto and marked as Exhibit JP_ . 

3. The Petitioners submit that the twin proposals to create both a 
National Population Register by an amendment to the 
Citizenship Rules and UID, were brought into the purview of 
an empowered group of Ministers (EGoM)constituted on 4 

i 

December 2006. 
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4. Initially the UIDAI may be notified as an executive authority 
and investing it with statutory authority could be taken up foi 

consideration later at an appropriate time. 

I. UIDAI may limit its activities to creation of the initial 

database from the electoral roll/EPIC data. UIDAI may 
however additionally issue instructions to agencies that 
undertake creation of databases to ensure standardization 

of data elements. 

II. UIDAI will take its own decision as to how to build the 
database. 

III. UIDAI would be anchored in the Planning Commission 
for five years after which a view would be taken as to 
where the UIDAI would be located within Government. 
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Constitution of the UIDAI with a core team of 1,0 
personnel at the central level and directed the Planning 
Commission to separately place a detailed proposal with 
the complete structure, rest of staff and organizational 
stiuctuie of UIDAI before the Cabinet Secretary for his 
consideration prior to seeking approval under normal 
procedure through the DoE/CCEA. 

V. Approval to the constitution of the State UIDAI 

Authorities simultaneously with the Central UIDAI with 
a core team of 3 personnel. 

VL December 2009 was given as the target date for 

UIDAI to be made available tor usage by an initial set of 
authorized users. 


h Prior to seeking approval for the complete 
organizational structure and full component of staff 
thiough DoE and CCEA as per existing procedure, the 


Cabinet Secretary should convene a meeting to finalize 
the detailed organizational structure, staff and other 


requirements. 


Copy of the 
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annexed hereto and marked as Exhibit E. 





5. In pursuance of the recommendations of the Committee of 
Secretaries and the Empowered group of Ministers' the 
Unique Identification Authority of India was constituted and 
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notified by the Planning Commission on 28 January 2009 as 
an attached office under the aegis of Planning Commission 
with an initial core team of 115 officials. The lole and 
responsibilities of the UIDAI was laid clown in this 
notification. The UIDAI was given the responsibility to lay 
down plan and policies to implement UIDAI scheme and own 
and operate the UIDAI database and be responsible for its 
updation and maintenance on an ongoing basis.Copy of the 
Notification dated 28 th January 2009 is annexed hereto and 
marked as Exhibit F . The said impugned Notification 
outlined the following tasks to be carried out under the UID 

t 

banner: 

I. Generate and assign UID to residents 

II. Define mechanisms and processes for interlinking UID 
with partner databases on a continuous basis 

III. Frame policies and administrative procedures related to 
updation mechanism and maintenance of UID database 

on an ongoing basis 

i 

IV. Co-ordinate/liaise with implementation partners 
and user agencies as also define conflicl resolution 

mechanisms 

V. Define usage and applicability of UID for delivery of 
various services 

VI. Operate and manage all stages of UID lifecycle 



p 2'S 

VII. Adopt phased approach for implementation of UID 
specially with reference to approved timelines 

VIII. Take necessary steps to ensure collation of NPR 
with UID (as per approved strategy) 

IX. Ensure ways for leveraging field level institutions 
appropriately such as PRIs in establishing linkages across 
partner agencies as well as its validation while cross 
linking with other designated agencies 

X. Evolve strategy for awareness and communication of 
UID and its usage 

XL Identify new partner/user agencies 



6 The Petitioner submits that subsequent to the notification the 
Government appointed Shri. Nandan M. Nilekani as 

Chairman of the Unique Identification Authority of India, in 

\ 

the rank and status of a Cabinet Minister for an initial tenure 



of five years. Mr. Nilekani has joined the UIDAI as its 
Chairman on 23 July 2009. Copy of the notification 


appointing Nandan M. Nilekani as chairman is annexed 

\ 

hereto and marked as Exhibit G . iS-fik'- 


7 The Petitioner submits that although set up through an 
executive fiat, the UIDAI was always intended to be brought 
under the purview of a legislative scheme. In the meanwhile, 
an advisory council presided by the Prime Minister's was set 
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up on 30 July 2009. The Council is to advise ihe U1DAI on 
Programme, methodology and implementation to ensure co¬ 
ordination between Ministries/Departments, stakeholders and 
partners. Further, the activities of the UIDAI were to be 
supervised and monitored by a Cabinet Committee headed by 
the Honourable Prime Minister and consists of the Minister 
of Finance, Minister of Agriculture, Minister of Consumer 
Affairs, Food and Public Distribution, Minister of Home 
Affairs, Minister of External Affairs, Minister of Law and 
Justice, Minister of Communications and Information 
Technology, Minister of Labour and Employment, Minister 
of Human Resource Development, Ministei of Rural 
Development and Panchayati Raj, Minister of Housing and 
Urban Poverty Alleviation and Minister of Tourism. The 
Deputy Chairman Planning Commission and Chairman 

UIDAI are special invitees. 
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Thus it is clear that in its present form UIDAI is an executive 
body with no legislative authority intended at this juncture to 
create the systems for the long term universal implementation 
of UIDs pursuant to the enactment of a legislative scheme 
and an appropriate regulatory authority. The Petitioners 
submit that before the legislative scheme is enacted, the 
Parliament as a sovereign body, will scrutinize the suspect 
claims made by UID and the effectiveness, feasibility and 

3 





constitutionality of its objectives. The Petitioners submit that 
the constitutionality of the UID as an executive scheme 

t 

t 

without any legislative backing is further suspect pursuant to 
the rejection of the NIDAI Draft Bill by the Standing 
Committee of the Parliament, for falling short of meeting 
minimum constitutional standards. 

9. The Petitioners submit that the eventual aim of the aadhaar 
numbers scheme is to streamline the delivery of services to 
In dian residents and ay piri .corru ption anH mlon^ nf pnKi .v 

funds and subsidies. UIDAI claims that the UID will achieve 
the two following objectives: 

a. Revolution in public service delivery. By providing a 

cleai prool of identity, Aadhaar will empower poor and 

underprivileged residents in accessing services such as 
- — - - —■ - ...—.— 

the formal banking system and give them the opportunity 
to easily avail various other services provided by the 
Government and the private sector. The centralised 
technology infrastructure of the UIDAI will enable 
'anytime, anywhere, anyhow' authentication. Existing 
identity databases in India are fraught with problems of 
fraud and duplicate or ghost beneficiaries. To prevent 
these problems from seeping into the Aadhaar database, 
the UIDAI plans to enrol residents into its database with 
proper verification of their demographic and biometric 
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information. This will ensure that the data collected is 
clean from the beginning of the program. However, much 
of the poor and under-privileged population lack identity 
documents and Aadhaar may be the first form of 

identification they will have access to. 
b. Overhaul internal security and assist the investigating 

agencies. 

lO.To achieve its objective as stated above, UID has set out to 

undertake its main task that is of Data Collection, without the 

legislative passage of the NID Bill. The Petitioner submits 

that the creation of a national identity caid or number 

requires the following activities. 

i. DATA COLLECTION: Information relating to the 

individual necessary for identification is collected 

and stored in a register under the supervision of a 

governmental authority. This may include different ^ 

categories of sensitive, personal information about 

individuals from their health records, to bank 

transactions, to the number of times they may use 

public transport every week. 

/ 

ii. DATA PROCESSING: The Authority either 
discloses or verifies the information in the register 
upon any requests regarding any individual 

permitted under any law; and 

1 
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iii. DATA PROTECTION: The government is duty 

bound to protect such information. ' 

- - - 

iv. DATA DESTRUCTION: The government is duty 

. ... ■ ' — ■ . 

bound to destroy such sensitive, personal 
information as is not absolutely needed for the 
functioning of a scheme of authentication of 
identity cards or numbers, and has been collected 
lor that purpose, and should not be retained or used 
for any other purpose without the full informed 
consent of each and every enrollee. 

11 .The main function ol the Authority is to collect relevant 
personal details together with unique biometric information 
from the population and use this information as the basis for 
issuing unique identification numbers to the population. The 
unique numbers, which are referred to as aadhaar numbers, 
are to be used as the basis of authentication of the identity of 
Indian residents seeking to avail certain services, either from 
the State or private parties. While authenticating the identity 
of a user, the proposed Authority only confirms or denies the 
authenticity ol the number and its holder, i.e., by way of a 
simple ‘Yes’ or ‘No’ answer. The UIDAI has stated that the 
proposed authority does not propose to disclose, to a third 
parly, any o f the personal details it may have collected in 
order to issue the aadhaar number. However, the Authority 
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in a central database will store details of all authentication 
requests received for a particular aadhaar number. On 
analyzing these authentication requests it is possible to track 
the location and utilization of services by the holder of an 
aadhaar number. This can create immense potential for 
misuse of information, leaking of personal information in the 
wrong hands. Apart from this, UID, in an open premise has 
committed itself to sharing all information collected by it 
with the National Intelligence Grid.Copy of a detailed 
scientific study by Paul Ohm titled “Broken Promises of 
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Anonymisation ” that illustrates how central identity 
databases facililate the reverse audit trail of personal 
information is attached hereto and marked as Exhibit H. 




12 . The UIDAI has conducted a so-called 'proof of concept' study » 

that determined the expected rate of failure of biometric 
measurement as an identification method. The report is 
k - 'J - ■ attached hereto and marked Exhibit I . An analysis of the 

reported figures reveals that the conclusions drawn in this 
report are insufficiently precise, and in fact, the incidence of 
so-called 'false positives' (persons incorrectly identified by 
the measuring system) will be impossibly high. A copy of 
this analysis by David Moss, a British engineer responsible 
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foi similar studies that showed the impossibility of the now- 
cancelled (at a loss of substantially over stg 800 million, 




approximating Rs 6,500 crores) UK ID cards system \s 



attached as Exhibit JT. 
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13.The draft N1DAI Bill lays out a regulatory framework 


identifying the powers and responsibilities of the proposed 
Authority along with criminal sanctions for unauthorized 


disclosure of information collected by the Authority. 
However, the same are highly inadequate and fail to meet the 


minimum standards of safeguards necessary. In a legal 

a. 

atmosphere with no legislated right to privacy, the 
enforcement of weak criminal sanctions against any breach of 
privacy becomes difficult. Copy of the UIDAI Bill is annexed 
hereto and marked as Exhibit K .Copv of an article titled “A &A ^ 
Unique Identity Bill” by Prof. Usha Ramanthan, a prominent 
advocate on the right to privacy in India, is annexed hereto 


and marked as Exhibit L. 





14.The Petitioners submit that the UIDAI draft as it was tabled 
in the Parliament has been rejected by the Standing 
Committee by its report dated 13 th December 2011, by the 
making the following observations: 

a. Lack of clarity 

b. Overlap between UID and NPR 
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c. No statutory power to address key 
issues of defaulters and penalties 

d. Aadhaar will not completely eradicate 
the need to provide other documents 
for identification 

e. Estimated failure of biometrics is 
expected to be as high as 15% due lo a 
large chunk of population being 
dependent on manual labour. 

f. It is also not clear that the UID 
scheme would continue beyond the 
coverage of 200 million of the total 
population, the mandate given to the 
UIDAI. 

g. Considering the huge database size 
and possibility of misuse of 
information has not been carefully 
considered. 

Copy of the detailed report of the Standing Committee dated 13 
h' December 2011 is annexed hereto and marked as ExhibitjVI. 


V. RIGHT TO PRIVACY 



15.The Petitioner submits that the proposal of data collection, 
storage and sharing as laid out above makes heavy inroads 
into the right to privacy and its constitutionality must be 
tested against the breach of the right of privacy itself 
enshrined under Article 21 and also for rationality and non¬ 
arbitrariness by examining the objective behind UID.The 
Petitioner submits that UIDAI attempts to undertake the task 
of collecting personal information for the entire Indian 
population, which constitutes a total of 1.2 billion people. 
The privacy implications of the same are numerous and as 

i 

follows: ' 


I. Data Collection : 


>• Sub Registrar: UIDAI in order to expedite the 
collection of information has entered into MoUs 
with several agencies, be it Banks, Insurance 
Agents, other Government Departments to enrolls 
citizens for the UID card. Even though UIDAI , 
only allows for collection of non-sensitive personal 


information, through the decentralization and 
delegation of data collection, the Sub-Registrar has 



been provided with the freedom to ask for 
additional information. Thus, for example, every 



Aadhaar form has the option of linking your bank 
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account with the Aadhaar number. The Petitioners 
submit that in many reported cases, the Banks 
acting as Sub-registrars, automatically link the 
bank accounts with the Aadhaar while registeiing 
new entrants. Some of the excessive information 
sought from sub-registrars includes: 

1. Resident's name, his/her fathers name, 

/his/her spouse’s name, names of his/her 

j / children, his/her age, residential address, 

his/her income, whether he/she owns any 

car? Whether he/she owns any scooter? 

|\ ^ Whether he/she owns any other vehicle? 

\\ 

His/her telephone and cell phone numbers 
both office and residence, his/her 
deposits, insurance policies, investments, the 
companies in which he/she has interest and 
other details; 

2. Similar details regarding spouse and 
children, linked with the Aadhaar number 
are collected. All these details are not 
collected under the Aadhaar form. However, 
all these particulars are mandated through 
the concept of ‘Know Your Customer’ from 
the banks by a RBI directive. When all these 
details of each resident is integrated, the 



state would be virtually accessing and 
intruding into the liie of each and every 


resident of India, through Dr. Usha 



Ramanathan’s argument on convergence of 
different silos of information. 

Excessiv e Delegation; Bv appointing several sub¬ 
registrars and empowering them with data 
collection and registration, sensitive personal 
intormation about citizens instead of going directly 
to the UIDA1 data base also becomes available in a 
parallel format with the Sub-Registrar, who is not 
bound bv^any rules, r egulations^ or legislative 

of recent'^ 

ol theft and sale of enrolment data from private 


agencies in Punjab is annexed hereto and marked 


as Exhibit N. 




Data Storage in One Central Database^ further 
contemplates storage of that entire information in one central 
data base. The Respondents also claim that it will be safe. It 
is submitted that biometric and demographic information of 
1.3+ billion residents of India mean 6 petabytes (6,000 
terabytes or 6,000,000 gigabytes). It will be the world’s 
largest database. The technological challenges are 
enormous and involve system performance, reliability, 


speed and resolution of accuracy and errors. But a more 
serious issue is regarding the security. The information can 
be hacked. The Petitioners respectfully submit that hacking 
of data is not a theoretical fear, but a practical reality .The 
implications of this cannot be settled just through a Proof 
of Concept. 

I. Data Protection 

i. Audit Trail: According to U1DAI, when you enter 
into a iransaction where you had to produce your 
ID card, the design of the system was such that a 
record would be kept of every such verification. It 
provides a detailed record of eveiy tiansaction 
done, which can be of interest to either people 
browsing the database or to security services or 
whoever. UIDAI, argues that the record here is 
limited to verification and thus even if traced back 
to the source of service accessed, it remains 
harmless. However, the record here would not be 
just the verification of identity; there would be a 
little more data associated with the transaction. In a 
recent published interview, a scholar working on 
the conflict between privacy and National ID 
cards, cites the following apposite example. 




“For example, you went to Health Clinic 

♦ 

Number 45. They used your card and your 
fingerprint there for verification. They did 
this at 12:37 hours. There is a series of 
metadata associated with that visit that 
would be there in the audit trail. And, of 
course, it wouldn't take very long to realise 
that, actually. Health Clinic Number 45 is a 
sexual health clinic. If the audit trail also 
shows that you were there on a number of 
occasions, it might be reasonable to infer 
certain kinds of things that you perhaps do 
not want to disclose. Some things are not 
necessary to be disclosed, but which are 
being recorded and stored in an accessible 
way to various people because of the way 
the system is designed. "A copy of the Edgar 

Whitley interview printed in Frontline is 

. 

annexed h ereto and marked as Exhibit O. 
Disclosure of Information: The potential of audit 
trail misuse is an important reality. In the present 
form UIDAI has no mechanisms for preventing the 
sharing ot any information, or 
safeguards/penalities for leaks and misuse of 
verification records. The NID Bill, however 

3 
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contemplates misuse and hence provides the 

following framework: 

a. CL 33 ^Nothing contained in the sub¬ 
section (3) of section 30 shall apply in 
respect of — (a) any disciosuie of 
infonnation (including identity 
information or details of authenti¬ 
cation) made pursuant to an order of a 
competent court; or (b) any disclosure 
of infonnation (including identity 
information) made in the interests of 

i 

national security in pursuance of a 
direction to that effect issued by an 
officer not below the rank of Joint 
Secretary or equivalent in the Central 
Government after obtaining approval 

of the Minister in charge.” 

Clause 33, is highly inadequate, as firstly it 
excludes information sought for nsecurity teasons 
from judicial scrutiny. This in itself is a recipe for 
grave misuse of private information. On the other 
hand court orders are not subject to the rule of audi 

alteram partem. 

. rw-eHnn of Data'.The UIDAI has described its 
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operational method for authentication of entollees 


requiring the person to present the number and biometric 
information (initially, fingerprints, up to ten; however it has 
been asserted trom time to time that only two fingerprints 
will be necessary for authentication; in the absence of any 
ti ials of the system, such fine details are not. known at 
present. The need for iris scans has also been expressed, 
however, the budget for recording iris scans has not been 
approved, nor have the present numbers of the population, 
saicl t o be over 10 cr, had iris scans taken at the time r>f 
e nrolling with UIDAI). The information will be matched 
with the information in UIDAI's central database and a 
simple yes/no reply will be generated. No personal details of 
any kind can be sought from the database through this 
system. It is obvious that other personal details are only taken 
for the purpose ol verifying the accuracy of the basic 
iniormation ie matching the fingerprints with the person. It is 
not needed for the further functioning of the system, as 
claimed by UIDAI. ft is therefore essential that the additional 
data collected be destroyed in order to protect citizens from 
any illegal access to the UIDAI database and subsequent 
misuse of that breach of privacy in any way whatsoever. 
m^AI has not made any provisions at all for data 
destiuction, although it is well known in technological circles 
that destruction of digital data is an expensive and tedious 


17.lt is important to note that the Right to Privacy especially in 
the context of wrongful access to personal information about 
individuals and controlling excessive interference from the 
State into private lives of individuals, is well recognized in 
Indian law. It has been held that the Right to Privacy is an 
integral part of the Right to Life under Article 21. 

18.1n Kharak Singh v. State of Uttar Pradesh', a person with a 
criminal record, had challenged the constitutionality of 
certain police regulations which permitted surveillance of his 
house as also ‘domiciliary visits’ to his house at any time. In 
this case the petitioner had attempted to put forth the 
argument that the regulations in question violated his right to 
privacy which could be read into the fundamental right to life 
and liberty in Article 21 of the Constitution. The majority 
judgment of the Court however rejected this argument that 
Article 21 of the Constitution provided for a fundamental 
right to privacy. The minority judgment by Justice Subba Rao 
and Justice Shah however favoured a broaderinterpretation of 
the term ‘personal liberty’ in Article 21. In pertinent part, 
Justice Rao held that “It is true our Constitution does not 
expressly declare a right to privacy as a fundamental right, 

_ } 

AIR 1963 SC 1295 ai para 18 


1 



bvt the said right is an essential ingredient of personal 

liberty’ ” 


19.The debate over privacy as a fundamental right’ cropped up 
once again in the case of Gobind v. State of Madhya Pradesh■ 
The petitioner in this case had challenged certain police 
regulations on the grounds that the same had invaded the 
petitioner’s fundamental right to privacy. In this judgment a 

l 

full bench of the Supreme Court was more willing to link the 
right to privacy’ to the fundamental rights enshrined in Part 
III of the Constitution. The Court has held that the Right to 
Privacy clearly means one has a right to be left alone within 
one’s home. 

“Rights and freedoms of citizens are set forth in the 
Constitution in order' to guarantee that the individual, 
his personality and those things stamped with his 
personality shall be free from official interference except 
where a reasonable basis for intrusion exists. 'Liberty 
against government” a phrase coined by Professor 
Corwin expresses this idea forcefully. In this sense, many 
of the fundamental rights of citizens can be described as 


contributing to the right, to privacy." 



20.The aforesaid quote is pertinent in understanding the kind of 
unfettered intrusion access UIDAI and the NID Bill allow 
into the State and many other private agencies into the 
personal lives of citizens of India, without any legislative 
procedures, safeguards and remedy. Thereafter, the right to 
privacy has been recognized in a number of judgments of this 
Court and of the High Courts in a number of cases including 
PUCL v. Union of India (1997) 1 SCC 301, Sharda v. 
Dharampal (2003) 4 SCC 493, R. Rajgopal v. State of Tamil 
Nadu (1994) 6 SCC 632, Phoolan Devi v. Shekhar Kapur (57 
(1995) DLT 154), Khushwant Singh v. Maneka Gandhi AIR 
2002 Del 58. 


21.And more appositely, in the case of District Registrar and 
Collector, Hyderabad v. Canara Bank (2005) 1 SCC 632, 
section 73 of the Andhra Pradesh Stamp Act was challenged. 
The impugned sectionrequired any public officer or any other 
person having in his custody records, registers, 
books,documents, the inspection of which may result in 
discovery of fraud or omission of duty, toallow any person 
authorized in writing by the collector to enter any premises to 
conduct aninspection of the same which may also be 
impounded by the person so authorized after 
dueacknowledgement of the saine. 


22.This provision was struck down by the High Court of Andhra 
Pradesh on the grounds that it was arbitrary and unreasonable 
and the same was upheld by the Supreme Court. In arriving at 


into a 


its conclusions the Court held that legislative intrusions 
perso n’s privac y “must be tested on the touchst one of 
re asonableness as guaranteed by the Constitution and for 
that purpose th e Court can go into the proportionality of the 


intrusion vis-a-vis the purpose sought to be achieved. ” In 


a 


lat er portion of the judgment the Court while harshly 
cri ticizing the lack of any procedural safeguards or 
mechanism in the impugned provision went on to cite its 


own 


piecedent in the case of u Air India v.Nergesh Meerza & Ors., 

2 -rr i , _ _ i - 

(1 )81) 4 SCC 335, where it was held that a discretionary 
power may not necessarily be a discriminatory power but 
where a statute confers a power on an authority to decide 
matters of moment without laying down any guidelines or 


principles or norms, the power has to be struck down 


as 


being violative of Article 14. 
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Rational Nexus between UID and thf. Pmrrv 
Qbjective\ 

"3- 2 h® Petitioner submit that the UIDAI has made statements 
in public that through a study titled, ‘PROOF OF CONCEPT’ 
they have developeda proof method and with minimal 
eitor maigin. The Petitioners submit that the purpose of any 
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feasibilithy study must be to conclusively establish that the 
objectives soughl to be achieved will be accomplished 
through the exercise, especially when a vast amount of public 

money is at stake. 


24. Thus, in the case of the UID project, where the objectives, 
according to the statements of the Respondents, are to ensure 
welfare benefits reach the intended beneficiaries, it would be 
necessary for the PoC exercise to show how beneficiaries 
would receive these benefits. This means, that the study 
would involve, not merely the collection of fingerprint data, 
but the use of the data to authenticate the BPL beneficiaries 
who come to collect PDS rations from designated shops and 
their receiving the goods over a reasonable period of time 
through the process envisaged in the project. Thus in a 
nutshell a feasibility study should not be a theoretical, 
imaginative exercise like the POC, but something that is 
tested in practice over a period of time. 


t 




25. The Petitioner submits that the primary purpose of UIDAI is 
said to be to improve the welfare system in the country by 
eradicating identity theft through duplication of identity. 
Thus non-duplication has been championed as both the 
solution for fixing the old Public Distribution System, and 
UID as the “unique” method of achieving it. 





26.1 he Petitioners submit the foremost assumption in the 

aioresaid is that due to lack of identity the poor do not 

receive government welfare benefits. Secondly, the 
\— — ■ 

Respondents assume that fake and duplicate identities are the 
causes for leakage (that is siphoni ng) of welfare funds. Both 
these are unproven assumptions. They are not based on any 
study or investigation. Several studies have increasingly 
shown that the PDS system is actually improving, and that by 
introducing an untested new Aadhaar, universally and across 
the board in a rushed manner, may actually end up excluding 
a lot ol intended beneficiaries.Copies of detailed reports, 
analysis and studies conducted on the efficacy of UIDAI to 
address welfare distribution issues conducted and written by 

Prof. Reetika Kliera are annexed hereto and marked 
collectively as Exhibit P. 



27.UIDAI argues that through the combination of name, 

photograph, fingerprinting and iris scans they can create an 

irrefutable identity that is linked to the person itself, and does 

not require any external proof — like ration cards or passports 

for identification. The person herself is the identifier through 

fingerprinting and iris scans. 

& 


28.However, there are many problems with this proposition. 
Firstly, a data base of this scale of 1.2 billion people’s finger 
prints and iris scans has never been created. Thus the entire 
proposition for a population base such as India is completely \ 
untested and unproven. Quoting an analogy that criticizes the | 

similar UK ID Cards’ non-duplication strategy which was j 

] 

entirely scrapped: 

There were far better performance results on a 1:1 
match. So, this is Edgar's fingerprint on the 
database, here is Edgar, we do 1:1 match; this is 
more likely to work. But that was not how the U.K. 
was planning to use it. The U.K. was trying to use 
biometrics to also prevent duplicate identities. The 
idea was that even if I try to enrol twice, and even 
if I had created a fake biographic identity (say, a 
John Smith with a different address), when my 
fingerprint came in for a second time, the system 
should come along and say: "We know this 
fingerprint, and this belongs to Edgai Whitley 
and not say, John Smith. Here, you have to match 
every single biometric with eveiy single previous 
biometric. ” 

29.Thus biometrics requires not just matching a fingerprint with 
its true origin, but also with others to avoid non-duplication. 







Apart from this exercise, the veiy reliability of finger prints 
in India is not 100 percent. An assessment report filed by 4G 

Solutions, contracted by UIDAI to supply biometric devices 
notes: 

* 

“It is estimated that approximately five per cent of any 
population has unreadable fingerprints, either due to 
scars or aging or illegible prints. In the Indian 
environment, experience has shown that the failure to 

I 

enrol is as high as 15 per cent due to the prevalence of a 

huge population dependent on manual labour. " 

Copy of the 4G Solutions Report is annexed hereto and 
marked as Exhibit O. 

t/Ch 4 • 
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30.The report of the UIDAI's “Biometrics Standards 

♦ 

Committee actually accepts these concerns as real. Its 
report, notes that “fingerprint quality, the most important 
vaiiable for determining de-duplication accuracy, has not 
been studied in depth in the Indian context.” Thus, the very 
premise of UIDAI is not something that has scientific 
backing. This consideration has formed an important basis 
behind the decision of the Standing Committee rejecting the 
U1DIA bill and scheme as it presently stands. Copy of the 
Biometrics Standards Committee report commissioned by the 
JIDAI is annexed hereto and marked as Exhibit R £0 f 


VII. Mandatory and Coercive 

31. The Petitioners submit that one of the biggest illegalities 


being committed under the Aadhaar scheme is by making it 
mandatory through coercive conditions. UID has always, 
repeatedly stated that Aadhaar is a voluntary scheme. Thus, 
enrolment for Aadhaar is a voluntary act. The NIAI draft Bill, 
which seeks to legitimatize the functioning of the first 
Respondent, is so worded to establish that Aadhaar is 
optional and not compulsory. However, in its premature 
implementation, in practice the scheme is gradually being 
made non-voluntary and mandatory. This is made worse by 
adoption of coercive pre-conditions by different government 



artments. 



n. 


A recent gazette notification dated 26 Sep 2011, of 
the Petroleum Ministry has made Aadhaar a 
mandatory condition for LPG users. Copy of the 
news report announcing the change in policy is 

t . 

annexed hereto and marked as Exhibit r S 
Government of Maharashtra through its GR dated 




I 




* 


April 2011, plans to make Aadhaar a compulsory 
requirement for government employees or 
accessing their salary benefits.Copy—. ihc 
aforesaid circular is annexed_hey / —ao d 


marked as Exhibit T 


The Petitioners submit that the enrollment for Aadhaar is 

working on an extremely fast pace that it has become 

impossible to avoid attempts at enrolment. The Petitioners 

submit that such mandatory, non-voluntary and coercive 

eniolment lot Aadhaar is an affront to their to personal 

integrity, right to make decisions about themselves and the 

right to dignity all enshrined and developed as indivisible 

elements ol the Right to Life under Article 21 of the 
Constitution. 


33. The Petitioners submit that by insisting on a mandatory 
lequirement and making access to every service contingent 
upon Aadhaar, the Respondents are creating a class of 
excluded non-Aadhaar holders who will be left out of 
welfaie schemes, because they have consciously chosen to 

not enroll in an untested, premature and at present 
completely unreliable scheme. 


34. The Petitioners submit that Aadhaar must be enacted not only 
under the supervision and protection of a strict national 
privacy law, but even in its implementation it must only be 
bi ought in through a phased manner, and not the sudden 
immediate implementation as at present. 




GROUNDS 


C 


* 

A. The UIDAI-Aadhaar scheme as it presently stands as a mere 
executive fiat, is illegal, arbitrary and unconstitutional by 
granting wide, unrestricted powers to an unaccountable 
independent body knows as U1DAI, and also to private 
agencies; leading to huge breaches on the right to privacy and 

dignity of Indian citizens; 

B. Reasonable restrictions on fundamental rights can only be 
through legislative mandate. The UID scheme makes invasion 
into fundamental rights without a legislative mandate and is 

hence bad in law; 

C. The co-extensive executive power exercised to implement 
UIDAI cannot be untrammeled and function towards restricting 
fundamental rights without any due procedure, guidelines and 
safety mechanism, which can only be ensured through a 

statutory framework; 

D. The Hon’ble Supreme Court has repeatedly held that executive 
power cannot be used to restrict fundamental rights, 

E. The mandatory enforcement UIDAI-Aadhaar scheme 
contravenes Article 21 by restricting the right to decision 
making, personal integrity, choice and dignity, 

F. The impugned notification dated 4 th November 2008 is illegal, 
arbitrary and bad in law for setting out an extensive task of 
launching UID way beyond the executive competence, without 
any guidelines, rules and procedure, 
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G. The aforesaid impugned notification is illegal, arbitral? and 
unconstitutional and in breach and contravention of Article 14 
foi assigning the most essential function of data collection via 
enrollment for Aadhaar to private agencies; 

H. The aforesaid notification is further illegal as it delegates 
excessive powers with the UIDAI without any guidelines or 
procedure, leading to further unrestricted delegation of powers 
to piivate parties creating great potential for data leakages, and 
breaches of sensitive private data leading to Indian Citizens; 

I. Cross-referencing service usage of a particular individual 
thiough a single numeric bio-metric identity has huge 
implications for building State inroads into every private 
activity and service accessed by that individual, this is further 
complicated by the possibility of private actors also accessing 
similar inJormation. This convergence of silos of information 
will completely abolish the veneer of privacy that protects the 
daily lives of individuals. 

J. The Hon ble Supreme Court of India has repeatedly upheld the 
right to privacy within the right to life in Article 21, and any 

restriction must be justified through a rational and reasonable 

« 

statutory procedure. UIDAI, as it presently stands is prima facie 
unconstitutional tor contravening the right to privacy without 
providing any safeguards, procedures and guidelines 
Iv. The UIDAI is further frought and arbitrary for failing to provide 
a rational nexus between means .adopted of obtaining sensitive 


personal information in a central database through private, or 
public-private partnerships for verification purposes in a central 
database and the ultimate objective of improving public 
welfare; wherein the whole premise is based on non-duplication 
of identity through biometrics, which still remains unproven. 

L, The aforesaid impugned scheme is further in breach of right to 
di gni ty and personal autonomy enshrined under Article 21, by 
making the Aadhaar mandatory, thereby forcing people to 
submit themselves to an unreliable, untested, premature scheme 
which has no statutory standing and compromises their personal 

lives. 

35. The Petitioners submit that they have not filed any other 
• petition in respect of the present issue before this Hon’ble 

Court or the Supreme Court of India. 

36. The Petitioners are residing at Mumbai Respondents are 
registered offices in Mumbai and New Delhi there foie the 
cause of action has arisen within the original side jurisdiction 
of this Hon’ble Court, hence, it can admit the petition and 

hear it. 

37. he Petitioners states that they have no other alternative 
efficacious remedy but to approach this Hon’ble Courl and 

i I 

the relief as prayed for if granted shall be complete. 

38. The Petitioners will rely on documents a list whereof is 

annexed hereto. 

39. There is no delay or laches in filing this petition. 


40.The Petitioners have affixed the required court fees_to 


this Petition. 


41.No caveat with regard to the subject matter of this petition ' 
has been received by the Petitioners till date. 

Pr.AY£* s Pray CD rod*'. 

THE PETITIONERS THEREFORE PRAYS 


A. For a Writ of Certiorari or any writ, order, direction in the 
nature of certiorari or any other appropriate writ, order of 

^ direction quashing the notification dated 2 ^^janu^ y^ 
/y /loci n)iexed at Exhibit F; 

B. For a writ of Prohibition or a writ, order or direction in the 
nature of prohibition or any other appropriate write, order of 
direction restraining the Respondents from taking any further 
steps of any nature whatsoever in relation to UID; 

C. Till the final hearing and pendency of this Public Interest 
Litigation, this Hon’ble Court may be pleased to stay the 
operation of the impugned dated 29 th January 2008annexed at 
Exhibit F; 

D. Till the final hearing and pendency of this Public Interest 

Litigation, this Hon’ble Court may be pleased to restrain the 

Respondents from taking any further steps of any nature 

whatsoever in relation to UID; 

7/M T£*IIV Oaocaa Pratcp Foit 

E. For ad interim relief in terms of prayers C and D; 
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F. For any other orders that this Hon’ble Court may deem fit; 
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Petition drawn by me 



Advocate for the Petitioners Petitioner No. 1 
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Petitioner No. 





Petitioner No. £ ,. , 



VERIFICATION 


I, 


\/t '--V ^ ^°:' * the Petitioner No. 


abovenamed residing at ^ c 


V 


ut -v_ 


\~ i U.V -v(. \ 



do hereby state and solemnly declare that what is stated in paras No. 

f to 3 ^ is true to my own knowledge and whatever is 
stated in remaining paras no.^/to para h. 1 is stated on information and 



belief which I believe the same to be true. 


Solemnly declared at Mumbai 




On this & day of January 2012 



} Petitioner No. T 



Identified by me 


^ - 

MIHIR DESAI 


Advocate for the Petitioners 




IN THE HIGH COURT OF JUDICATURE AT BOMBAY 
ORDINARY ORIGINAL CIVIL JURISDICTION 

> 

PUBLIC INTEREST LITIGATION NO. OF 2012 

In the matter of the public 
interest of protecting the rights, 
of privacy, autonomy, dignity 
and free and full enjoyment of 
life of the citizens of India, 

guaranteed under Articles 1.9 

* 

and 21 of the Indian 
Constitution; 


AND 


In the matter of non-voluntary 
and premature implementation 
of “Aadhaar” in strict breach of 
Article 21 of the Indian 

l 

Constitution 


AND. 
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In the matter of excessive 
delegation of essential function 
without any guidelines, rules or 
police framework in 
Notification Dated 29 th January 
2009 creating the UIDAI 


AND 



In the matter ol potential 
breaches of the right to privacy 
of citizens of India, through the 

means of data collection, 
storage and sharing by the 
UIDAI, without any legitimate 
and rational nexus of improving 
the public welfare system 


AND 


In the matter of standing 
committee of the Parliament 
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4. Dr Nagarjuna G., aged 49 years 

Residing at 502, Bhaskara, TIFR Residential Complex, 
Homi Bhabha Road, Colaba, 

Mumbai 400005 

Email ramakumarr@qmail.com 

5. Prof. R. Ramkumar, aged 37 years, 

Residing at B2/12, Reserve Bank of India, 

Officer’s Quarters, C.hakala, 

Andheri-East, 

Mumbai 400 093 • • .Petitioners 

Email naaariun@gnowledge.orci 


Versus 

1. UNIQUE IDENTIFICATION AUTHORITY OF INDIA, 
Planning Commission, 

Government of India, 

3 rd Floor, Tower II, 

Jeevan Bharati Building, 

Connaught Circus, 


New Delhi 110001 
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2. Mr. A B. Pandey. 

Deputy Director General, UIDAI, 

Mumbai Regional Office, 

5"’ & 7"’ Floor, MTNL Building, 

BD Somani Marg, Cuffe Parade, 

Mumbai 400 005 

2- The Chairperson. Planning Commission oi'India, 

Yojana Bhavan, Sansad Marg, 

New Delhi. 

3. National Informatics Centre 

i 

Department of Information Technology, 

Ministry of Communications and Infonna,ion Technology, 
A-Block, CGO Complex, 

Codhi Road, ,New Delhi - 110 003 India 

4. Union of India 


Through the Ministry of Finance 
New Delhi. 

5. Union of India 



Through the Ministry of Home Affairs 
New Delhi. 


respondents 


VAKALATNAMA 


Prothonotary & Sr. Master 
High Court, O.O.CJ 
Mumbai 



Madam, 


We, the Petitioners abovenamed do hereby appoint Mihir Desai, 
Advocate, High Court, to act, appear, and plead on my behalf in the 

above matter. 


IN WITNESS WHEREOF WE HAVE SET AND SUBSCRIBED OUR 
HANDS TO THIS WRITING on this day of January, 2012 at 

Mumbai. 

Accepted 


MIHIR DESAI 

Advocates for the Petitioners 

22, Raja Bahadur Mansion 

2 nd floor, Opp. State Bank of India 

Mumbai Samachar Marg 

Fort, Mumbai - 400 023. 



Petitioner No.l 




Petitronen - No. 3 


.... * ‘ 

LV-d. rT 
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Petitioner No.C^ 
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IN THE HIGH COURT OF JUDICATURE AT BOMBAY 

ORDINARY ORIGINAL CIVIL JURISDICTION 
PUBLIC INTEREST LITIGATION NO. OF 2012 


Vickram Crishna & Ors .... Petitioners 

V ersus 

Unique Identification Authority of India & Ors.... Respondents 




MEMORANDUM OF REGISTERED ADDRESS 
Vickram Crishna 
C/o MIHIR DESAI 
22, Raja Bahadur Mansion 
2 nd floor, Opp. State Bank of India 
Mumbai SamacharMarg 
Fort, Mumbai - 400 023. 



Advocate for the Petitioners 
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IN THE HIGH COURT OF JUDICATURE AT BOMBAY 
ORDINARY ORIGINAL CIVIL JURISDICTION 
PUBLIC INTEREST LITIGATION NO. OF 2012 


Vickram Crishna & Ors ....Petitioners 

Versus 

Unique Identification Authority of India & Ors.... 

Respondents 



LIST OF DOCUMENTS 

All the documents annexed at Exhibit A to Exhibit T ' 
Any other documents relevant for the successful 
prosecution. 


i » , 




Advocate for Petitioners 
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STATEMENT \{J 


The project that proposes to give every resident a unique identity number 
is a matter of great concern for those working on issues of food security, 
NREGA, migration, technology, decentralisation, constitutionalism, civil 
liberties and human rights. The process ot setting up the Authority has 
resulted in very little, if any, discussion about this project and its effects 
and fallout. The documents on the UIDAI website, and a recent draft law 
(the National Identification Authority Bill, which is also on the website) 
do not provide answers to the many questions that are being raised in the 
public domain. This project is intended to collect demographic data about 
all residents in the country. It is said that it will impact on the PDS and 
NREGA programmes, and plug leakages and save the government large 
sums of money. It would, however, seem that even basic procedures have 
not been followed before launching on such a massive project. 


Before it goes any further, we consider it imperative that the following be 
done: 

Do a feasibility study: There are claims made in relation to the project, 
about what it can do for PDS and NREGA, for instance, which does not 
reflect any understanding of the situation of the situation on the ground. 
The project documents do not say what other effects the project may 
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have, including its potential to be intrusive and violative of privaev, who 
may handle the data (there will be multiple persons involved in entering, 


maintaining and using the data), who may be able to have access to the 


data and 


simi lar other questions. 


Do a cost-benefit analysis: It is reported that the UIDAI estimates the 
project will costs Rs 45,000 crores to the exchequer in the next 4 years. 
This does not seem to include the costs that will be incurred by 
Registrars, Enrollers, internal systems costs that the PDs system will have 
to budget if it is to be able to use the UID, the estimated cost to the end 


user and 


to 



number holder. 


In a system such as this, a mere statement that the UIDAI will deal with 
the security of the data is obviously insufficient How does the UIDAI 
propose to deal with data theft? If this security cannot be reasonably 
guaranteed, the wisdom of holding such data in a central registrv may 

nee< * t0 be reviewed. 


The involvement of firms such as Ernst & Young and Accenture raise 
further questions about who will have access to the data, and what that 
means to the people of India. 

Constitutionality of this project, including in the matter of privacy, the 
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idationship between the state and the people, security and other 


fundamental 


rights. 




Questions have been raised which have not been addressed so far. 


including 


those 


about 


Undemocratic process. UIDA1 was set-up via a Gol notification as an 
attached office of the Planning Commission without any discussion or 
debate in the Parliament or civil society. In the year and a half of its 
inception, the Authority has signed Mo Us with virtually all states and 
UTs, LIC, Petroleum Ministry and many banks. In July, the Authority 
circulated the draft NIA Bill (to achieve statutory status); the window for 
public feedback was two weeks. Despite widespread feedback and calls 
for making all feedback public, the Authority has not made feedback 


available. Further in direct contravention to the process of public 
feedback, the NIA Bill was listed for introduction in the Lok Sabha 2010 


monsoon 


session 


Privacy (It is only now that the DoPT is said to be working on a draft of a 
privacy law, but nothing is out for discussion even yet) 
Surveillance: where this technology, and the existence of the UID 


number, and its working, could result in increasing the potential for 
surveillance 
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Profiling, Tracking, Convergence, by which those with access to state 
power, as well as companies, could collate information about each 
individual with the help of the UID number. 




National IDs have been abandoned in the US, Australia and the newly- 
elected British government. The reasons have predominantly been, costs 
and privacy. If it is too expensive for the US with a population of 308 
million, and the UK with 61 million people, and Australia with 21 million 
people, it is being asked why India thinks it can prioritise its spending in 
this direction. In the UK, the Home Secretary explained that they were 
abandoning the project because it would otherwise be 'intrusive bullying 
by the state, and that the government intended to be the 'servant of the 
people, and not their 'master. Is there a lesson in it for us? In the late 
nineties, the Supreme Court of Philippines struck down the Presidents 
Executive Order A.O 308 which instituted a biometric based national ID 
system calling it unconstitutional on two grounds the overreach of the 
executive over the legislative powers of the congress and invasion of 
privacy. The same is applicable in India UIDAI has been constituted on 
the basis of a Gol notification and there is a fundamental risk to civil 
liberties with the convergence of UID, NATGRID etc. 
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The UIDA1 is still at the stage of conducting pilot studies. The biometric 
pilot saidy has reportedly already thrown up problems especially among 
the poor whose fingerprints are not stable, and whose iris scans suffer 
from malnourishment related cataract and among whom the incidence of 
comeal scars is often found. The project is clearly still in its inception. 
The project should be halted before it goes any further and the prelude to 
the project be attended to, the public informed and consulted, and the 
wisdom of the project determined. The Draft Bill too needs to be publicly 
debated. This is a project that could change the status of the people in this 
country, with effects on our security and constitutional rights, and a 
consideration of all aspects of the project should be undertaken with this 

in mind. 


We, therefore, ask that: 

The project be halted 

A feasibility study be done covering all aspects of this issue 
Experts be tasked with studying its constitutionality 
The law on privacy be urgently worked on (this will affect matters way 

beyond the UID project) 

A cost: benefit analysis be done 

A public, informed debate be conducted before any such major change be 

brought in. 
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This Statement was issued to the Press on 28th September, 2010 in New 

Delhi 




List of signatories to the Statement on the UID 
Justice VR Krishna Iyer, Retired Judge, Supreme Court of India 

satgamaya@dataone. in 

Prof Romila Thapar, Historian romila.thapar@gmail.com 
K.G.Kannabiran, Senior Civil Liberties Lawyer 
kg.kannabiran@gmail.coin 

Kavita Srivastava, PUCL and Right to Food Campaign 

Aruna Roy, MKKS, Rajasthan 
Nikhil Dey, MKKS, Rajasthan 
S.RSankaran, Retired Secretary, Government of India 
Deep Joshi, Independent Consultant 

Upendra Baxi, Jurist and ex-Vice Chancellor of Universities of Surat and 

Delhi BaxiUpendra@aol.com 
Uma Chakravarthi, Historian 
Shohini Ghosh, Teacher and Film Maker 
Amar Kanwar, Film Maker 
Bezwada Wilson, Safai Karamchari Andolan 

» 

Trilochan Sastry, IIMB, and Association for Democratic Reforms 
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Prof. Jagdeep Chhokar, ex- IIMA, and Association for Democratic 

Reforms 

Justice A.P.Shah, Retired Chief Justice of High Court of Delhi 

a j itprakashshah@gmail .com 
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Strategy Overview I 


Executive Summary 

Overview 

in India, an inability to prove identity is one of the biggest barriers preventing the poor from 
accessing benefits and subsidies. Public as well as private sector agencies across the country 
typically require proof of identity bclcie providing individuals with services. But till date, there 
remains no nationally accepted, verified identity number that both residents and agencies can use 
with ease and confidence. 

As a result, every time an individual tries to access a benefit or service, they mur;t undergo ?. full 
cycle of identity verification. Odleront service providers also often have different requirements ir. 
diedoccments they demantl, the forms that require filling out, and the information they collect on 
the individual. 

Such duplication of effort and ‘identity silos' increase overall costs of identification, and cause 
extreme inconvenience to the individual. Hus approach is especially unfair tc India's poor and 
underprivileged residenis, who usually lack identity documentation, and find it difficult to meet 
the costs of multi pie verification processes. 

There are clearly, immense benefits from a mechanism that uniquely identifies a person, and 
ensures instant identity verification. The need to prove identity only once will bring down 
transaction costs for the poor. A clear identity number would also transform the delivery of social 
welfare programs by making them more inclusive of communities now cut off from such benefits 
due to their lack of identification It would enable the government to shift from inairecttodircct 
benefits, and help verify whether the intended bond iciaries actual ly receive funds/subsidies. 

A single, universal identity number will also be transformational in eliminating fraud and 
duplicate identities, since individuals will no longer be able to represent 

themselves differently to different agencies. This will result in significant savings to the state 
exchequer. 

The UlDAl-evolvingaaapproach to identity 

The Covernmentofindia undertook an effort to provide a clear identity to residents first in 1993, 
with the resue of photo identity cards by the Election Commission. Subsequently in 2003, the 
Governmentapproved the Multipurpose National Identity Card (MNICJ. 

The Unique Identification Authority oi India (UIDAIJ was established in January 2009, as an 
attached office to the Planning Commission. Ine nurpose of the UIDAl is to issue a unique 
identification number(UiD) to all Indian residenis that is (a) robust enough to eliminate duplicate 
and fake identities, and (b) can be verified and authenticated in an easy, cost-effective way. The 
UIOAI’s approach will keep in mind the learnings from the government's previous efforts at 
issuing identity. 
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Executive Summary 

Overview 


In India, an inability to prove identity is one of the biggest barriers preventing the poor from 
accessing -benefits and subsidies. Public as well as private sector agencies across the country 


typically require proof of identity beicie providing individuals with services. But till date, there 
remains no nationally accepted, verified identity number that both residents and agencies can use 
wi di ease and confidence. 


As a result, every time an individual tt ies to access a benefit or service, they must undergo a full 
cycle of identity verification. Different service providers also often have different requirements ir. 
died.icuments they demand, die forms that require filling out, and the information they collect on 
die individual. 


Such duplication of effort and 'identity silos’ increase overall costs of identification, and cause 
extreme inconvenience to the individual. This approach is especially unfair to India's poor and 
underprivileged residents, ivho usually lack identity documentation, and find it difficult to meet 
the costsofmultiple verification processes. 


There are clearly, immense benefits from a mechanism that uniquely identifies a person, and 
ensures instant identity verification. The need to prove identity only once will bring down 
transaction costs for the poor. A clear identity number would also transform the deliveiy of social 
welfare programs by making them more inclusive of communities now cut off from such benefits 
due to their lack of identification (t would enable the government to shift from indirect to direct 
benefits, and help verify whether the intended beneficiaries actually receive funds/subsidies. 


A single, universal identity number will also be transformational in eliminating fraud and 
duplicate identities, since individuals will no longer be able to represent 


themselves differently to different agencies. This will result 
exchequer. 


in significant savings to the state 


The U1DA1 - evalvingan approach to identity 


The Governmentof India undertook an effort to provide a clear identity to residents first in 1993, 
with the issue of photo identity cards by the Election Commission. Subsequently in 2003, the 
Government approved the Multipurpose National Identity Card (MNICJ. 


The Unique Identification Authority of India (UIDAIj was established in January 2009, as an 
attached office to the Planning Commission. T ne purpose of the UIDAi is to issue a unique 
identification number{UID] to all Indian residents that is (a] robust enough to eliminate duplicate 
and fake identities, and (b) can be verified and authenticated in an easy, cost-effective way. The 
UIDAPs approach will keep in mind Lhe learnings from the government's previous efforts at 
issuing identity. 


Unique iiVniiftcmuni Authority of India 

Strategy Overview 


2 


The UIDAI will be created as a statulory body under a separate legislation to fulfill its objectives. 
The law will also stipulate rules, regulations, processes and protocols to be followed by different 
agencies partnering with the UFDAI in issuing and verifying unique identity numbers. 

Features of the UIDAI model 

The Unique Identification number (UID) will only provide identity: The UIDAI's purview will 
be limited to the issue of unique identification numbers linked to a person s dcmog r aphic and 
biometric information.The UID will only guarantee identity, not rights, benefits oi entitlements. 

The UID will prove identity, aot citizenshio: All residents in the country can be issued a unique 
ID.The UID is proofof identity and docs notconfcr citizenship. 

A pro-poor approach: The UIDAI envisions full cnrohnenlof residents, with a focus on enrolling 
India's poor and underprivileged communities. The Registrars that the UIDAI plans to partner 
'"ilh - the NREfiA, R5BY. and PDS - will help bring large numbci s of the poor and underprivileged 
into the U!D system. The UID method of authentication will also improve service delivery for the 

poor. 

Enrolment of residents wiih proper verification: Existing identity databases in India aie 
fraught with problems of fraud and duplicate/ghost bcncfiuarics. To prevent this from seeping 
into the UIDAI database, the UIDAI plans to enrol residents hue its database with proper 
verification of their dcmograohic and biometric information. This wil! cnsuic that the data 
collected is clean from the start of the program. 

However, much of the poor and underserved imputation lack identity documents and the UID may 
be the first form of identification they have access to. The UIDAI will ensure that the Know Your 
Resident (KYR) standards don't become a barrier for enrolling the poor, and will devise suitable 
procedures to ensure their inclusion wilhoul compromising Ihc integrity of the data. 

A partnership model: The UIDAI approach leverages Uic existing infrastructure of government 
and private agencies across India, The UIDAI will be the legulatory authority managing a Central 
Identities Data Repository (CIDR), which will issue UIDs, update resident information, and 

authentkratethe identity of residents as required. 

In addition, the UIDAI will partner with agencies such as central and state departments and private 
sector agencies who will be 'Registrars' for the UIDAI. Registrars will process UID applications, 
and connect to the CIDR to de-duplicate resident information and receive UID numbers. These 
Registrars can either be cnrollers, or will appoint agencies as enroliers, who will interface with 
people seeking UID numbers. The Authority will also partner with service providers for 

authentication. 

The UIDAI will emphasize a flexible model for Registrars: The Registrars will i etain significant 
flexibility in their processes, including issuing cards, pricing, expanding KYR (Know Your 
Resident) verification, collecting demographic data on residents for their specific requirements, 
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and in authentication. The UIDAI will provide standards to enable Registrars maintain uniformity 
in collecting certain demographic and biometric information, and in basic KYR. These standards 
have been finalized by the Demographic Data Standards and Verification Procedures Committee 
and BiometricStandardsCommittees which was constituted by the UIDAI constituted. 

Enrolment will not be mandated: r \ lie IJIDAI approach will be a demand-driven one, where the 
benefits and services that arc linked to the UID will ensure demand for the number. This will not 
however, preclude governments or Registrars from mandatingenrolment. 

TheUiDAI will issue a number, not a card: The UIDAl's role is limited to issuing the number This 
number maybe printed on ihedocmnenl/card that is issued by the Registrar. 

The number will noc contain intelligence: Loading intelligence into identity numbers makes 
them susceptible to fraud and theft. The UID will be a ra ndom n umher. 

The UIDAI wiH only collect basic information on the resident: The UIDAI will seek the 
follcwingd^mogi aplucand biometric informa r ion in order to issue a UID number: 

- Name 

• Date of birth 

■ Gender 

- Father's/ Husband’s/Guardian's name and UID number (optional for adult residents) 

■ Mother's/ Wife's/Guardian's name and UIDnamoer (optional loraciuit residents) 

• Introducer’s name and UID number (in case of lack of documents) 

• Address 

■ All ten fingerprints,photograoh'and both ins scans 

Process to ensure no duplicat&s^egist^^ the applicant’s data to the C1DR for de- 

duplication. The Cl DR will perform a search on key demographic fields and on the biometrics for 
each new enrolment, to enstue that no duplicates exist. 

The incentives in the UiO system are aligned towards a self-cleaning mechanism. The existing 
patchwork of multiple databases in India gives individuals the incentive to provide different 
personal information to different agencies. Since de-duplication m the UID system ensures that 
residents have only one chance to be in the database, individuals will provide accurate data. This 
incentive will become especially powerful as benefits and entitlements are linked to the UID. 

Online authentication: The UIDAI will offer a strong form of online authentication, where 
agencies can compare demographic and biometric information ol the resident with the record 
stored in the central database. The Authority will support Registrars and agencies in adopting the 
UID authentication process, and will help define the infrastructure and processes they need. 
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The UIDAI will not share resident data: The UIDAI envisions a balance between 'privacy and 
purpose' when it comes to the information it collects on residents. The agencies may store the 
information of residents they enrol if they arc authorized to do so, but they will not have access to 

the information in the UID database.The UIDAI will answer requests to authenticate identity only 
through a 'Yes' or ‘No* response 

Technology wil* undergird the UIDAI system:Tcchnology systems will have a major role across 
the UIDAI infrastructure. The UfD database will be stored on a central server. Enrolment of Hie 
resident will be computerized, and information exchange between Registrars and the CIDR will be 
over n network. Authentication of the resident will be online. The Authority will also potsvstems 

inplace for the security and safety of information 

Benefits 


For residents: Tl.e UID will become the single souree of identity verification. Once residents 


enroi they can use the number multiple tunes - they would be spared the hassle cf repeatedly 
providing supporting identity documents each time they wish to access services such as obtaining 


a bank account, passport, driving license, and so on. 


Bvproviding a dear proof of identity, the UID will also facililalecntry lor poor and underprivileged 
residents into the formal banking system, and the opportunity to avail services provided bjr the 
government and the private sector. The UID will also give migrants mobility of Identity. 


For Registrars and enrollers: The UIDAI will only enrol residents after dc-duplicating their 
records. This w>(l help Registrars clean out duplicates from Mieir databases, enabling significant, 
efficiencies and cost savings. For Registrars focused on cosi. the UiDAI’s verification processes wil! 
ensute lower KYR costs. For Registrars focused on social goals, a reliable identification number 
will enable them to broaden their reach into groups that till now, have been difficult to 


authenticate. The strong authentication that the IHD number offers will improve services, leading 
to belter rcsidenlsalisfaclion. 


For Governments: Eliminatingduplication under various schemes is expected to save substantial 
money for the government exchequer. It will also provide governments with accurate data on 
residents, enable direct benefit programs, and allow government departments to coordinate 
investments and share information. 


Revenue Model 


By providing identity authentication the UIDAI will be taking on a process that costs agencies and 
service providers hundreds of crores every year. The Authority will evolve suitable policies on the 
issue of charging a fee for its authentication services, which will offset its long-term costs. 
Registrars and service providers will also be able to charge for the cards they issue residents with 
the UID number. Such pricing will be within UIDAI guidelines. 
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Timelines 

The UIDAI will start issuing UIDs between August 2010 and February 2011, and plans to cover 600 
million people within A years from the start of (he issuing of the first set of UIDs. This can be 
accelerated if more Registrars partner with the UIDAI for both enrolment and authentication. The 
adoption of'UiOs is expected to gain momentum with time, as the number establishes itself as the 
most accepted identity proofin the counny 

Conclusion 

India willbethefirstcountry to implement r» biometric-based unique ID system for its residents on 
such a large scale. Tnc UIO will serve as a universal proof of identity, allowing residents to prove 
then identity anywhere in the country. It will give the government a clear view Oi India's 
population, enabling it to target and deliver services effectively, achieve greater returns on social 
investments, and monitor money and resource flows across the country. 

The liming of this initiative is encouraging - the creation of the (JIDAI coincides with growing 
social investment in India, a shift in focus to diux: benefits, and with the spread of IT and mobile 
phones, which has made the public receptive to lechnoiogybased solutions. The UIDAI is 
committed to malting this project a success. An initiative of this magnitude will also requii e the 
active participation of central, state and local governments, as well as public and private sectci 
agciwries across Uie country. With their support, the project will help realize a larger vision of 
inclusion and development for!ndta. 
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A crucial factor that determines an individual's well-being in a country is whether their identity is 
recognized in the eyes of the government. Weak identity limits the power of the country's 
residents when it comes to claiming basic political and economic rights. The lack of identity is 
especially detrimental for the poor and (he underprivileged, the people who live in India's "social, 
political and economic periphery ' Agencies in both tne public and private sector in India usually 

requirea clear proof of identity to provide so '-vices. Since the poor often lack such documentation, 

they face enormous barriers in accessing benefits and subsidies. 


For governments and individuals alike, strong iucnuly (or residents nas real economic value. 
While weak identity systems cause the individual to miss out on benefits ana services, it also 
makes it difficult for the government to account (or money and resource (lows across a country, in 
addition, it complicates government efforts to account for residents during emergencies and 
sccui ity threats. 


However in India, the goat of issuing a universally used, unique identity number to each resident 
poses a significantchallenge. A project of this scale has not been attempted anywhere in the world, 
and requires an innovative model, distinct fioin what we have witnessed in identity systems so far 
anywhere in the world. 


1.1 Historical background and evolution of the UiDAI project 

« 

The Unique identification project was initially conceived by the Planning Commission as an 
initiative that would provide a dear and unique identity number for each resident acioss the 
country and would be used primarily as the basis for efficient delivery of welfare services. It would 
also act as a tool for effective monitoring of various programs an J schemes of the Government. 

The concept of unique identification was first discussed and worked upon since 2006 when 
administrative approval for the project -"Unique ID for BPL families" was given on March 3rd, 
2006 by the Department of Information Technology, Ministry of Communications and Information 

Technology. This project was to be implemented by the NIC over a period of 12 months. 
Subsequently, a Processes Committee to suggest piocesses for updation, modification, addition 
and deletion of data fields from the core data base (o be created under the Unique ID for BPL 
families Project was setup oil July3rd 2006. 

A "Strategic Vision on the UID Project" was prepared and submitted to this Committee. It 
envisaged the close linkage that the UID would have to the electoral database. The Committee also 
appreciated the need of a UID Authority to be created by an executive order under the aegis of the 
Planning Commission to ensure a pan-dcparlmenlal and neutral identity for the Authority and at 
the same time enable a focused approach to attaining the goals set for the XI Plan. The Seventh 
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Meeting of the Process Committee on 30th August 2007 decided to furnish to the Planning 
Commission a detailed proposal based on the resource model for seeking its "in principle" 
approval. 


At the same time, the Registrar General of India was engaged in the creation of the National 
Population Registrar and issuance ofMulti-purpo.se National Identity Cards to citizens of India. 


Therefore, it was decided, with the approval of the Prime Minister, to constitute an Empowered 
Group of Ministers (EGoM) to collate the two schemes - the National Population Register under 
the Citizenship Act, 1955 and the Unique Identification Number project of the Department of 
Information Technology. The EGoM was also empowered to look into the methodology and 
specific milestones for early and effective completion of the Project and take a final view on these. 
The EGoM was constituted on December 4 th, 2006. 


The first meeting of the EGoM was held on November 27th, 2007. It recognised the need for 
creating an identity related resident database, regardless of whether tne database is created based 
on a de-ivovo collection ofindividmi data oi is basec* on ah eady existing data such as the voter list. 
It also recognised that there is a crucial and imperative need to identify and establish an 
institutional mechanism that will "own" the database and will be responsible for its maintenance 
and updating on an ongoing basis, post its creation. 


The second meeting of the EGoM was held on January 28lh, 2008. It decided on the strategy for 
the collationofNPRand UfD. Inter-alia, the proposal to establish iJ ID Authority under the Planning 
Commission was approved. 

The third meeting of the EGoM was held on August 7 ih, 2008. The Planning Commission had 
placed before the EGoM a detailed proposal foi setting up the UtDAI. The meeting decided that 
certain issues raised by the members with relation to the UfDAl would need to be examined by an 
official level committee. It referred the matter to a Committee ofSecretaries to examine and give its 
recommendations to the EGoM to facilitate a final decision. 


Subsequent^*) the Committee of Secretaries recommendations, the fourth meeting of the EGoM 
was held on November 4th, 2008.Thc recommendations of the Committee oi Secretaries was 
presented to the EGoM and the following decisions were taken: 


a) Initially die UIDAI may be notified as an executive authority, and investing it with 
statutory authority could be taken up for consideration later at an appropriate time. 


b) UIDAI may limit its activities to Ihc creation of the initial database from the electoral 
roli/EPIC data. IJIDAI may however additionally issue instructions to agencies that 
undertake creation of databases to ensure standardization of data elements. 


c) UIDAI will take its own decision as to how to build the database. 

d) UIDAI would be anchored in the Planning Commission for five years after which a view 
would be taken as to where the UIDAI would be located within Government. 
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c) Constitution of the UIDAI with a core team of 10 personnel at the central level and 
directed the Planning Commission to separately place a detailed proposal with the 
complete structure, rest of staff and organizational structure of UIDAI before the 
Cabinet Secretciy for his consideration prior to seeking approval under normal 
proced u re through the DoE/CCEA. 

f) Approval to the constitution of the Slate U1D Authorities simultaneously with the 
Central (JfDAI with a core team of3 personnel. 



December 2009 was given as the target dale lor UID to he 
an initial set ofauthorized users. 


made available for usage by 


h) Priot to seeking approval for the complete oiganizational structure end full 

component of sialf through UoE and CCEA as per existing procedure, the Cabinet 

Secretary should convene a meeting to finalize the detailed organizational structure, 
slaff and other i requirements. 


1 .1, Subsequently, on January 22nd, 2009 the Cabinet Secretary in pursuance of the decisions of 
the Empowered Croup of Ministers considered die proposal submitted by the Department of 
Information Technology regarding the governance structure and recommended that 

a) The notification for constitution ofthe UIDAi should be issued immediately. 

b) A rligh Level Advisory, Monitoring and Review Committee headed by Deputy Chairman, 

Planning Commission to be constituted to oversee Ihc work of die authority. 

c) A Member, Planning Commission or the Secretary, Planning Commission may be also 

assigned the taskoflookingafterthe work proposed ofthe ChiefUID Commissioner. 

d} Cere Team to be put in place. 

In pursuanccofthc Empowered group of M misters' fourth meeting dated November 4th, 2008, the 
unique identification Authority of India was constituted and notified by the Planning 
oor.niusi.iun un January 28th, 2009 as an attached office under the aegis of Planning Commission 
wit i an initial core team of 115 officials. The role and responsibilitiesof the UIDAI was laid down in 
this notification. The UIDAi was given the responsibility to lay down plan and policies to 

implement UID scheme, and shall own and operate the UID database and be responsible for its 
updation and maintenance on an ongoing basis. 

Subsequently on July 2nd, 2009 Shr Nandan Nilekani was appointed as the Chairman of the UIDAI. 
Shi I Nilekani assumed charge on 23rd July, 2009 and since then the UIDAI has started functioning. 

The Prime Minister's Council on UID Authority was constituted on 30th July, 2009 and its first 

meeting had taken place on 12th August, 2009. The Council endorsed the broad approach 
submitted by the UIDAI. 


Subsequently, the Government constituted a Cabinet Committee on Unique Identification 
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Authority oflndia vide its order no 1/11/6/2009 dated 22nd October, 2009. The functions of this 
Committee, as per this notification are: All issues relating to the Unique identification Authority of 
India including its organisation, plans, policies, programmes, schemes, funding and methodology 
to be adopted for achieving the objectives of that Authority. 

1.2 The UIDAl approach 


In 2007, the Planning Commission had i ecommondeu an approach to issuing unique identification 
numbers, where the enrolment into a Unique Identification (UID) database could be speeded up 
by using existing resident records m the databases of the Election Commission. PAN etc. This 
approach would speed up enrolment lor those residents present in one of the aforementioned 
databases. These databases however, may contain inaccuracies. 


The model envisioned by the Unique Idenlihcation Authority cl India (UIDAI) takes into account 
die inputs of the Planning Commission, as well as learnings from the previous approaches to 
identity. The detailed approach and the model of implementation is explained in subsequent 
chapters. 
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the reach and flexibility to enrol residents 


across the 
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. Centra! ID Data Repository (ClOR), which will manage the” ‘ a „^' 

nccworkofRegistrars who will establish resldcRl touch points through Enrobing Agencies.' 

2.1 i he Central Identifies Data Repository (CIDRJ 

Irn Trlnf Wl11 b t°,^ C CCnlra ' data rcp0silcry ' and wi,i function as a Managed Service Provider It 
Will implement the core servi-es amnnd »-So nm v . . b L 1 ruviaer ( t 

identification numbers, and verify, authenticate and amend rcsidcnl^ata." 1 * eC ° rdS ' * SSUe Unique 

^ r 

z.z The Unique Identity Number 

TheUnique (Dor DID will be a,tumeric that is unique across all 1.2 billion residents in India. 

Ic in',mtZ^" T C °" M " ": Kllige " Ce '• ,lde '' V«ems. it was customary ioad 

However ^ f rC ' atel 10 11,0 ° ,binh ' * «l as the location of the person 

- .. *“ '" i,ke!i *' number susceptible to fraud and theft, and migration of the resident 

quickly makes location details oulof date. The UID will be a random number 

The UIDfsl will also becollectingthc following data licids and biometrics for issuing a U1D: 

* Name 

■ Date of birth 

* Gender 

" Father's/Husband's/Guardian’s name and UID (optional for adult residents] 

Mother's/ Wife’s/ Guardian's name and UID (optional for adult residents) 

1 introducer'snanicand UID (incase oflackofdocumcnls) 

1 Address 

All ten finger prints, photograph and both iris scans 


V 




’* i ; ~ it*.,. t*-i. nuaK»nn r iiK'ii 111 

* » 

Strategy Overview { 

2.3 The Unique ID agencies 

The UIDAI will partner with a variety of agencies and service providers to enrol residents for U1D 
numbers and verify their identity. 



sw ! 


The structure of these UID agencies wil! he as follows: 

Registrars - Registrars will be State governments or central government agencies such as the Oil 
Ministry and U€. Registrars may also be private sector participants such as hanks and insurance 
firms. 

» 

The UiOAl will enter into memorandum of understandings' (MoUs) with individual Registrars, 
and enable their on-boarding into the UID system. 1 he Registrars will need to make changes to 
Ibeirprocesses to be (Jib-ready. The UIDAI will support them in this, and in linking to the CIDR, 
connecting to the UIO system, and adding UID fields to their databases. 

The Registrar will take on the responsibility of ensuring that clean and correct data Hows into the 
CIDR. Their key role in the system will be in aggregating enrolments Irom sub-registrars and 
enrolling agencies and forwarding it to the CIDR. Each Registrar will adopt UIDAI standards in the 
technology used for biometrics, as well as in collecting and verifying resident information, and 
submittingto audits. 
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The UIDAI will also enter into agreements with some Registrars for using the CfDR solely lor 

authentication purposes. The service providers who will adopt the UID system for identity 

authentication during service delivery will follow certain processes and standards, and may need 
to re-engineer their internal processes. 

Sub-Registrars - These will be the departments/entities that report to a specific Registrar. For 
instance, the line departments of the slate government such as the RDPR (Rural Development and 
Panchayati Raj) departmentwouldbe sub-registrars to the state government Registrar. 

Enrolling Agencies - Enrolling agencies will directly intend wuh and enrol residents into the 
CIDR. For example, the hospital where a baby is born would be the 'enrolling agency' for the baby’s 
UID, and would report to the municipality ,>ub-i egislrar. 

Outreach Groups -The UIDAI along with the Registrars will also partner with civii society groups 
and community networks which will promote the UID number and provide information o/i 
enrolment for hard to reach and marginalised populations. 

2.4 Setting standards on demographic data and biometrics 

The UIDAI's approach relies on the uniformity of standards in certain vital areas of operation. The 
Demographic data fields and verification procedure m the UID system as well as the Biometric- 
standards to be utilized ne^d to be standardized across the country and across the various 
regisliars in the UID system. This is a sine qua non for the operability o( the system. Hence, the 
UIDAI established two Comm!itees to look into the issue of.standards. ’ 

Committee on Demographic Data Standards and Verification Procedures 

The UIDAt had constituted a Committee headed by Mr. N. Vittal, former CVCcn 9th October 2009 to 
go into the question as to what demographic details should bo collected from the residents for 
assigning of unique IDs. The Committee was also to go into the question as to whatshould be the 
process of verification of the residents at the time ol their enrolment into the UID system. The 
mandate of the Committee was crurial because it is necessary to ensure that the integrity and 
correctness of the data is not compromised while ensuring that the process ofvcrification is non¬ 
harassing to individuals. The Committee was mandated to give its report within 90 days of <ts 
constitution. However, it submitted its report on 9lh December 2009, well before the ninety days’ 
period given to it. The Report of the Com mittee has been accepted by the Authority. The Committee 
recommended the following data fields : Name, Dale of birth. Gender, Father’s/ Husband's/ 
Guardian's name and UID (optional for adult residents), Mothei's/ Wife's/ Guardian's name and 
UID (optional for adult residents). Introducer's name and UID (in case of lack ofdocuments) and 
Address. It has also specified the verification process which broadly falls into three categories (i) 
Document-based, (ii) Introduccr-bascd (in case of lack of documents) and (iii) Community-based 

verifications, a process which will be followed during the creation of NPR. The Report of the Vittal 
Committee is available at www.uidai.gov.in 
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Committee on Biometric Standards 

As biometric attributes of the residents are going to be used as ihe basic signature for de¬ 
duplication and to ensure uniqueness, it is necessary to go into the question as to whatshould be 
the type and specifications of biometrics to be collected at the Lime of enrolment. Therefore, a 
Biometrics Standards Committee, under the Chairmanship of the Director Genera] of NIC, Dr BK 
Gairola was constituted by the Authority on 29th September, 2009. This Committee was also 
expected to give its report within 90 days of its constitution. The Report was submitted an 7th 
January, 2010. ThcUJDAi has examined their Report and has accepted the standards lor various 
biometric attributes a* recommended by the committee as also various other recommendations 
related to collection of biometrics and their quality. The UIDAI has also decided that the fate, all 
ten binge: points and both iris scans should be collected at cite time of capturing the demographic 
and biometric details of a resident. This will be able to ensure uniqueness of the IDs at a scale oi t.2 
billion residents. The reportof the biometric committee is also available atwwtv.uidai.gov.in 

fhe tJIO/vl was declared as an Apex body to set standards in the areas ot biometric and 
demographic data standards by (lie Prime Minister's Council ul UIDAI. Now that both these 
standards have been finalized by the UIDAI, these standards/specifications, processes and 
systemswiil be used by all the registrars to for enrolments the residents into the UID system. 
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Acritical aspect of the UID enrolment process is that enrolment will not be through a mandate, but 

will be demand driven. The momentum for the UID will come from residents enrolling in order to 
access the benefits and services associa ted wi th ir 


The fcas.c advantage of liic UID dial can ch ivc this demand, which will be communicated while 


promoting enrolment, is that the UID will be one number, which can be used to prove identity for 

hfc. Once the resident gets the unique ID, it may be accepted as identity proof across service 
providers. 


3.1 The enrolment process 

The enrolment process for die UID number will begin with a resident submitting his/her 
information to the enrolling agency with supporting documents. This information will be verified 
according to the prescribed verification procedure as per the DDSVP Committee Report, io m«tke 

sure the poor are not excluded, the UfDAI lias prescribed guidelines for applicants without 
documents. 


Once theenroflci vci ilics the resident s information, it will submit the application request- cither 
singly or in batches - through the Registrar to die CIDR. The CIDR will then run a de-duplication 
check, comparing the resident's biometric and demographic information to the records in the 
database to ensure that the resident is not already enrolled. 


Since de-duplication also compares biometric records, it would catch individuals enrolling with a 
different set of demographic details. The lact that the UID system is both de-duplicatcd and 
universal will discourage residents from giving incorrect data at the time of enrolment. 
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Once die 010 number is assigned, die UIDAI will forward the resident a letter which contains 
his/her iegistor<»d demographic and biometric details. This Idler may also have a learaway 
portion which has die UID number, name, photograph and a 2D barcode of the finger print 
minutiae digest. If there are any mistakes in the demographic details, (he resident can contact the 
relevant itegistrar/enrcUing agency as per a prescribed procedure. 

If the Registrar issues a card to die resident, the UIDAI will recommend that the card contain the 
UID number, name and photograph. They will be free to add any more information related to their 
services {such as Customer ID by bank]. They will also he free to print/ store the biometric 
collected from Ihe applicant on the issued card. II more registrars store such biometric 

information in a single card format, the cards will become interoperable for offline verification. 
But the UiDAI will not insist on, audit or enforce this. 

Alldata entry tha«he enrolling agencies take up on behalf of the Registrars will he done in English. 
It can then be converted into the local language using standard transliteration software, and 
verified for accuracy by the Registrar. The letter the UIDAI sends the resident will consequently 
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contain ,11 demographic details in English as well as the local language of the state which the 
re snfent restdes. In this regard, the IIIMI will follow the |,receded tset by the Election Commission 

3.2 Enrolment strategy in rural and urban India 

I he approach of the UIDA! to enrolment will be a pro-rural/pro-poor one. The Registrar.; targeted 
'“-"“^.PDS.Sociaiseenritypcnsions. wifibcgovernmentagLieswithUtgc 

rural netw nHts and Significant bases among the poor. As a resnlt, the UIDAI expects initial 
enrolment to be fairly i apid m both targe and small rural areas. 




All India Annual enrollment (In millions) 


'] 

l 



The enrolment st a*.cgy tor urban India will include organizations which dominate services for 
itrtan residents, such as UC and Passports. The table below summarizes the Registrars who are 
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UID Registrar 

* 

Primary 

Access 1 

Additional 
Acces 1 

Potential 

Overlap 

Effective 

Enrolment 

Crore Residents 

LPG (Oil PSU) 

8.4 ; 

*16.8' 

20 % 

20.2 

LIC (Life Insurance) 

13.5 

13.5 

50% 

13.5 

PAN-Cards 

4.0 

- 

75% 

1.0 

Passports 

; 

6.0 

- 

00 % 

1.2 

Urban Enrolment 




35.9 


1 


' 


Lie (Life Insurance) 

3 5 

3.5 

90% 

0.7 

NRFX.A 

10.U 

r 2 o.o 

10% 

27.0 

BPL Ration Cards 

7.0 

21.0 

60% 

11.2 

j 

State BPL /APL 

i:,.o 

45.0 

50% 

30.0 

Old Ago Pensioners 

i 5 

1.0 

70% 

0.8 

Women/Child Welfare 

9 

1.0 

2.0 

70% 

0.9 

Social Welfare 

1.0 

2.0 

70% 

0.9 

RSBY 

0.5 

1.0 

70% 

0.5 

Rural Enrolment 




72.0 

Total Enrolment 



— 

107.9 


la addition to those enrolicrs, the UfDAI will also partner with the Registrar Go neral of India (RGI) 
“ w ^° will prepare the National Population Register through the Census 2011 - to reach as many 
icsidents as possible and eui Oi them into the UID database. This may require incorporating some 
additionalproceduresintothePCil data col lection mechanism, in order to i^akeitlKD-ready. 


->.3 A focused eflo it to enrol the poor and hard to roach groups 


While the UiDAf intends to target Registrars that have large networks among the poor and rural 


communities in India, it will also emphasize multiple approaches to reach specific, frequently 
marginalized groups. 


Iliese arc residents who are pari ol the Regis tun's customer / subsidiary beneficiary database and can be mandated to 
provide theutHO 

The residents under additional access :i' t family members* who tan be easily covered while enrolling the primary residents. 
These can be all family members in the cased LPG connections and die nominees in case of L1C Policies. 

1 be total number ofgas*connections is 3 U 51 acres, and this estimates that there are 20% ineligible connections 

Assuming there are an aveiage ol throe members in each family having a gas connection irom an Oil PSU 
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Urban Poor 


The urban poor are among the most ignored and disadvantaged people in India. The main 
challenges in enrolment here exist because this group consists mainly of migrant workers with 
temporary or seasonal jobs. The following may be ways to get them enrolled into the UID system. 

Co-resident enrolment: Many of India's urban poor work as drivers, maids, or as workers 
associated with a family or a business. One approach to reach them could be lor the head of the 
family or business to enable these members (who are co-residents/co-workers) to get enrolled 
into the UID with the same address proof the busmesj or family uses. There can be a host of 
financial incentives offered to enrol surhco-i es.dcnls. 


Financial institutions: The urban poor often borrow from micro-finance institutions and other 


sources and these could serve as enrolment points for them. There are established chit funds that 
can also act as enrolment points for tr.e UID co improve coverage. 


NGCs and Non-profits: There are several established non-profits working in urban slums m 
education, healthcare and social emoowarment. They can be used to educate the poor on the 
benefits of the UID, for actual enrolment and lo help endorse identity for people who lack 
documentation. 


Children 


India is a young country with over 400 million residents below the age of 18. While Jainiiy-Lased 
government schemes will as Registrars, help euro 1 children, lh*s population may need to be 
specifically targeted. 


ICDS: ICDS is one of the wond's largest integrated early childhood programs, with over 40,000 
centers nationwide. The program covers over 5 million expectant and nursing mothers and 25 


million children under the age of six. These centers can be information or enrolment points for 


non-school going children. 


School admission: I* may be mandated that at the time of jo*ring school (first standard] it is 
necessary for children to have a UlU or to enrol for one. This way the child can be tracked for 
progress and targeted for direct benefits. 


The SSA program could also help enrol children in the 6-14 age group into the UID, which would 
also enable bcltcrchild tracking and improvements in the mid-day meal schemes. 

For children, the advantages from the UID would be significant. Child-related programs in India 
have relied on often inaccurate, aggregate data at school/cluster/block levels, making these 
programs ineffective. The concept of Universal Child Tracking - the ability to track every child and 
ensure their all round development - is gaining ground. An accurate database of children with 
UIDs would be immensely beneficial lo programs within the Women and Child welfare as well as 
the Education departments, which track development in angan wadis and progress of children in 
government schools, and work to eliminate child labor. 
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Women 


Apartfrom enrollers that are family-based governmentservices in both urban and rural India such 
as PDS, RSBYetc, there needs to be a strategy to cover women outside this net: 

Financial institutions: Robust collectives of women exist within micro-finance institutions and 
self-help groups across the country. These would be important em olment points for women. 

Oi-gamzations like Mahila Samakhya in the 9 states of Karnataka, Kerala, Andhra Pradesh, Gujarat, 
Uuar Pradesh, Uttar Khard, Assam and Jharkhand. They work in several thousand villages to help 
women and can act as touch points for education or enrolmentofwomen. 

The National Commission for Women: This is the apex national level organization of India for 
protecting and proi noting the interests of women They have a massive outreach program diatcan 

read, out to disadvantaged women and get them to enrol. The UID can subsequently he used as a 
unique handle fora variety oi services to be rendered to these women. 

Differently-abled people 

it is estimated that India has over 60 million differently-abled people, and identity for this 
population is a massive challenge The Disability Act oi 1995 mandates a certain percentage of 
employment for the differently-abled, hut without the dear identification of such individuals, it is 
cufficult to enforce the law. There is an obvious incentive for organizations like National Center for 
Promotion of Employment for Disabled People (NCPEDP) to promote the UID, and enable 
residents with disability to register for a range of benefits. The NGOs and rights groups associated 
with NC.PEDP would also be good mechanisms to reach out to this section of the population. 

Tribals 

India has a significant tribal population ol approximately 90 million tribals, mostly concentrated 
along a few states. The Government has many programs for the 697 notified ti ibes, which can be 
used for enrolment and information dissemination. In addition, NGOs and governments in stales 
with hign tribal populationscan he Registrars for tribal groups. 

I he above mentioned approaches are merely indicative of the strategy that the UIDA1 will follow to 
reach marginalized groups. !n addition, the UJD/\ I will roach out to other marginalized groups such 
as homeless people, individuals in shelter homes, remand homes, asylums, etc. 

Civil Society Outreach strategy 
3 A Enrolmen looses 

Enrolment costs can be' thought ol in two ways. One will be the cost to the enrolling 
agenctes/Registrars for carrying out the enrolment process. The other costs will be to the 
residents to come to thcenrolmcnt stations. Poor may have to forego their wages fora day and also 
spend some travel costs to travel to the enrolment stations The enrolment strategy will explore the 
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possibility ofvarious mechanisms for funding the enrolment costs. The Registrars have the option 
here of charging for the card? they issue residents to offset enrolment costs. The IJIDAI may issue 
guidelines around such prici n S* 

3.5 Ensuringcieanen^o^wentdata from Registrars 

The UIDAl will periodically carry out a process audit of the information that comes in from the 
Registrars, to ensure data q uality and that agencies arc following guidelines recommended by the 
UIDAl. The audit would be < m a random sample of residents, carried out either directly by the 
Authority or through appoint cd agencies The audit might focus on: 

Verification against scanned documents - The data contained in the resident records will be 
verified against the scanned documents. 

Physical document verification * The physical documents that are held by the Registrar will be 
validated against the electronic copies. 

Periodic process audits- periodic audits will be carried out to at the enrolment sites, of the 
processes and software. 

3.6 UpdatingUID detail* 

Updating information with the UI DAI 

The UID number is r lifetime number, but the biometric information contained uvthe central 
database will have to be regularly updated. Children may have to update their biometric 
information every five years, while adults update theirinformation every ten years. 

From time to time, the demographic information that the CIDR bolds on the resident may also 
become outdated. Fields that arc susceptible lo change could be the 'present address' field, as well 
as the resident's name (after marriage). There might also be an error in the fields that occurred 

during enrolment into the UIP- 

if? service provider authenticating or enrolling a resident finds, through its KYR process that the 
information provided by the resident (address, name, etc.) does not match with the UID record, or 
that the biometrics need to be renewed, it can ask the resident to update their information in the 
UID database. The service provider may make the update a condition for the resident to receive the 

scrvice/bencfil. 

Enrolling agencies and Registrars can serve as points where the resident can update their UID 
fields. The resident will have to submit their new information at these updation points with the 
required documentary evidence. This may also include a biometric authentication prior to 

processing the request. 
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3.? Readungcriticalmassineiuolmeiits 

The Authority expects to stall issuing the first set ofUIDs between August 20 10 to February 2011, 
snd enrolment for the UlO number is expected to i each a critical mass of around 2C0 million 
resklents in two to three years. Until tins point, i hcUIDAI will have to focus on generating demand 
from bodi Registrars and residents. However once the critical mass is achieved, it will generate a 
network effect that drives demand <iiui accelerates adoption among service providers and 
residents. And as more service providers across the country require the UID to dispense their 
services and benefits, adoption will ramp up rapidly. In lour years, the UIDAi estimates that it will 
issue600 million UlO numbers. 
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3.8 Tracking enrolm ents a cross the country 

TheUIDAI will employ a CIS internet-based visual reporting system to track enrolment trends and 
patterns across India, as the project is rolled out across various Registrars and stales. 
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The CIS system will show ail UID enrolments by state, as well as by Registrar. The system will also 
be able to drill down within states and into districts. 

3.9 Reachinga sustainable, steady-state in enrolment 

A challenge for full enrolment is registering the approximately 60,000 babies that are born in the 
country every day. Over the next several years, the UIDAI expects to enrol close to the entire Indian 
population. Once thatgual is achieved, enrolment will reach a steady state, where only births (and 
deaths) as well as immigrants need lu be recorded. 

1 here are however, some challenges in registering new births. First, since their biometrics is not 
stable, they have in lx* re-scanned ot a later age. Second, names are cltcn not given in India at the 
timeofbtrth legistraticn. 

The UID in the birth certificate 

One w t »y to ensure that the UID number is used by all government and m’ivate agencies is by 
inserting a into die birth certificate ol the mlani. Since the birth certificate is the original identity 
document, it is likely that this number will then persist as the key identifier through the 
indi vidua! s various life events, such as joining school, imnuin i/atioas, voting etc. 

Since the name is a mandat'dy field in the UID uataoase, il is essential that die child be given a 

name before applying lor the U(D number. This would ensure that the UID can also be allotted at 
birth. 


In the case of urban births, the municipality wilibe die enrolling authority and 

the UID Registrar can be the ‘Registrar ul Births, Deaths and Marriage 1 at the 
state level. 


a. j 
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In rural areas, births take place at district oi block level hospitals, hi health 

care centet s and at homes in the village. The village accountant is the Registrar 

ot ruial biiths, and he/she also issues the birth certificate and updates the / 

information through an enrolling agency. j 


Uiuijuc h'i*nri(ic<uion AuUhhiIvoJ Indu 

Strategy Overview 


24 



B i o me tii cs a n d i nfa n t s 

The recording of unique individual biometrics in the UID database is a challenging one for infant 
records. The solution to this is to record the UID and biometric of the parents in the child's record 

The child s biometrics need to be taken at around 5 years of age, and updated in the UID system 

eveiy 5 years until the age ot 18. This will be enforced by an expiry date attached to the UID 

number, which will become invalid after that date UntM the time the biometric of the child 

stabilizes, any one of the parents/guardian will need to provide their biometric information for 
authentication. 

Recording deaths in the UID svstem 

•/ 

It is also necessary to record deaths in the country, and the birth and death registration act 

provides for such registration. The same institutions that record births can be in charge of 

updating deaths in the UID system. The UID system will not remove a record upon the person's 

death, it will simply mark it as deceased' and hence will render it inactive for the purposes of 
authentication. F K 
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Ensuringstrong authentication, and what it means for the UiDAI 

The real test of reliability for the L ID system will be during identity authentication. Confirming 
'you are who you say you are' remains the primary, often elusive goal of all identity systems. 

The UIDAI approach - which will he online authentication, with biometric check - creates a very 
strong authentication system, and gives the UIDAI significant ability to confirm an individual's 
identity. Hie UIDAI will suppoit the Registrars in building the infrastructure and systems 
necessary to authenticate i es'denls m d life rent parts of (lie country. This wCl be especially critical 
for Registrars working in rural areas and a, nong the poor. 

4.1 Enabling U!D adoption for authentication 

The speed of UID adoption in India depends on whether die number can help in eliminating 
poverty and marginalization, and in enabling greater transparency ami efficiency in service 
delivery, if it succeeds in these goals, die rumbet wifi become indispensible for residents in 
accessingscrvices. 

While the UID can provide die strongest rormof pre-verification and identity authentication in the 
country, it cannot ensure that targeted benefit programs reach intended beneficiaries. The pro¬ 
poor impactof the UID, consequently, will not gain traction unless there is a mechanism to link the 
UID process with actual service delivery. 

A clear adoption process can overcome libs gap by helping introduce the UID method of 
audienticaiion at every point of service delivery. To ensure this, die UIDAI will not only work with 
Register i s who do enrolment, but also with non-enrolling, service delivery agencies. Such 
agencies involved in the delivery o t services and benefits will be encouraged to partner with the 
lt)i authentication. Once they authenticate a resident's identity against the UID database 

every time they carry out a service transaction, they will he able to deliver services far more 
effectively. 

In order to accommodate this authentication, agencies may need to rc-cngincer their business 
processes to be U!D-er.abled. 1 lie most basic requirement for change will be in incorporating the 
UID method of authentication into their systems. Agencies will have to adhere to norms and 
procedures specified by die UIDAI for fingerprint capture and verification, and introduce a robust 
biometric authentication prccessat every poinlofsalc. 

There is tremendous value to be gained from widespread adoption of the U!D for authentication, 
especially for residents. While enrolment in the UID database will ensure that residents arc not 
denied access to fundamental services and rights because they cannot present positive proof of 
identity, adoption in authentication could go one step further, and ensure that residents 
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consistently receive these services. This can include a wide range of benefits such as education, 
health coverage, old-age pensions and subsidized food grains, thereby fulfilling the UIDAl's pro 
pooragenda. 

The UIDAI is only in the identity domain. The responsibility of tracking beneficiaries and the 
governance of service delivery will continue to remain with the respective agencies - the iob of 
tracking distribution of food grains among BPL families for example, will remain with the state 
POS department. The adoption of the UID will only ensure that the uniqueness and singularity of 
each resident is established and authenticated, thereby promoting equitable access to social 
services. 

The adoption of the UiD during authentication v/ili also have a direct correlation with subsequent 
enrolment.C«rcater cnrolmentcomcs from the value a residentderives from the UID, which in turn 
depends on the rate of adoption. There is a positive cycle here, created from the relationship 
between adoption and enrolment - the greater the adoption, the faster the enrolment and vice 
versa. The twin approaches of enrolment and adoption will result in greater influence and traction 

for the UID among residents in the country, and. establish the UIDAI as the only genuine identity 
authenticator in India. 


4.2 Types of authentication 

There arc multiple forms of authentication that the UID authority can offer. Certain types of 
authentication would have iow to medium assurance if there is the possioiiity thac the card is 
forgrd. Here we summarize the main forms of authentication, depending on the situation and 
equipmentavailable. 


Online authentication is supported by the UID system. This can include 

Online demographic authentication where the authenticating agency compares the UID 
number and demograjihic information of the UID holder to the information stored in the UID 
database.The assurancclcvel here is medium. 


Online biometric authentication where the biometrics ol the UID holder, His UID and key 

demographic details are compared to the details in the CIDR. The assurance level in this case 
is high. 


Online demographic/biomelric authentication with API where the Registrar's backend 
system makes a programmatic call to the authentication APIs exposed by the UID system to 
perform authentication. The assurance level here may be medium-high depending on 

whether the checkused demographic or biometric inputs. 

Offline authentication may be supported by the Registrar, and docs not use the authenticating 
service provided by the UIDAI. This may come in two forms: 

Photo match authentication where the photo on the card is compared with the cardholder. 
This is the most basic form of authentication. The assurance level here is low. 
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Offline biometric authentication compares the scanned fingerprint of the cardholder to the 
biometric stored on the Registrar-issued card. The assurance level here is medium. 
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4.3 Authentication and the UIDAt revenue model 

The ability of die UfDAI to offer agencies across the country strong, reliable authentication is the 
key to its sustainability. The UIDAI wilt offer resident authentication services for a fee to 
governments and private sector firms. 

The agencies wliich request a resident authentication service will have to be registered with the 
UfDAl and foiiowslTictguideltnes in using the service as well as in managing resident information. 

Basic identitycoiifinnaticn 

Sasic identity confirmation from the UIDAI weald be free. In this transaction, the authenticator 
will provide die U1D number, name and one other parameter such as date of birth of the person, 
and the centratdatabase will confirm the identity as a ’Yes* or *No‘ response. 

This type ol transaction will be earned out in large numbers and will need quick response times. 

Chargeable authentication services can be of two types: 

Address verification 


For security purposes, government agencies as well as private sector firms require address proof 
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from Indian residents before providing them with benefits and services. However, agencies often 
complain of the difficulty of address verification "you try to verily an address in India, and you 
enter a labyrinth'. The service provider usually verifies address through a physical visit, as well as 
an enquiiy to confirm the other information provided. This process is expensive and costs 
between Rs. 100 and Rs.500 per verification. 


The address authentication service the UJDAI will otfer these entities would consequently be a 
valuable one. In the proposed transaction with the UID Authority, the agency will submit the UiD, 


name and address of the resident to l he Cl DR, which will confirm the address. As a result, the 


agency will not have to do pi .y, c cal addi ess verification. 


Biometrics confirmation 


Services such as issuing a credit card or gi anting 


a loan need the confirmation of the resident's 


identity. This process for the resident involves the submission of photograpns and other 
documentation confirming their identity. In the proposed transaction with the UID Authority, the 


agency car send the scanned photograph or fingerprint (based on the secuiity level required) 
together with other demographic details to confirm the identity of the person. 


Revenue projections from authenticationservices 


Ine following revenue model for the UJDAI is an illustrative one. it has been designed while 
keeping in mind the value the agency requesting authentication would derive from the service. 
The table below summarizes the kind of transaction, potential user agencies and the proposed 
transaction foe. Government agencies could be provided these services from the UIDA1 at a 
subsidized rate. 


SI. Transaction Typo 


Transaction Fee Potential User Agencies 


Basic IDConfirmaUon 
Address VcrifIcalioi i 


Free 


Rs.5 


Airlines during passenger check-in 
Banks foraccounlopcning 


Biometrics Confirmation Rs. 10 


Credit cards issue process 


The authentication service from the UIDAI can begin after the initial bulk on-boarding of 
Registrars. The revenue estimates for the UIDAI below arc based on the current expenditure of 
various agencies on KYR processes, which would be replaced by the Authority's authentication 
services. It also lakes into account expected growth in demand for mobile connections, bank 
accounts, etc. 






. *-L*i nci* *:/ o' 1 ‘jf'M j 29 

Strategy Overview 1 


UID Revenue Projection 
(Steady State Estimates) 


New Mobile Connections 


PAN Cards 


GasConnections by PSU 


Passports 


CIC New Policies 


Transaction Type 


Address 


19.59 


0.06 


Biometrics 


1.20 


0 


10.16 


Credit Cards 

^ —— _ _ 

0.70 

Bank Accounts 

———- 

11.55 

Airline Check-in 

- 

Projected Total Transactions 

31.91 

Proposed Transaction Rate 

5 

Transaction Revenue 

—-- 

159.55 

Estimated total annual revenue 

at steady state (Rs. Crores) 


12.86 


10 


128.60 


288.15 



Unique ldriUifir,«(ion Autlioii(y of huliu 

Strategy Overview 


30 


5 


< c 2-} 1 w-«y jr , 

N * v. ***** * x ^ 4 * ' / 

Legal Frame wo rlc v* 


t~« 1 / j'* 


** r « • i 

Z • i K f 


_ '** 
*'*} ** ^ S^C 4 



Thconst.tut.on of Indta, through the Directive Principles of State Policy 5 mandates that the stale 
shall strive to minimize inequalities of income and endeavor to eliminate inequalities in status 
amongst md.v,duals. The objective of the UIDAI is to solve the key problem of identity that 
individuals face and enable netter and efficient delivery of services to the poor and marginalized 
so as to eliminate inequalities ol income and stains, It is therefore, imperative to have a proper 
legal structure m place to ensure the smooth functioning of the UIDAI. This section provides an 

overview of the legal and policy framework. 

The Unique identification Authority ol India fUiPA!) will beset up as a statutory body by an Act ot 

Parliament, The UIDAI will be authorized: 7 7 

o To collect the following identity information from any person voluntarily seeking a unique 
identity number: 

■ Name 

* Date of Birth 

■ Gender 

" Father’s name and UID number 

■ Mothers name and UID number 

a Address 


AN ten fingerprints, photograph and both iris; 


scans 


he law will contain a prescription ags ,nst collecting any other information than the information 
permitted, with specific prohibitions against collection of information regarding religion, race, 
ethnicity, caste and other similar matters, and for the facilitation of analysis of the data for anyone’ 
or to engage in profiling or any similar activity. 

o To issue a unique identity number to the person who has provided the necessary information 
and fulfilled the requirements as laid down in rules prescribed by the UIDAI. 


Art. 38 (1) The Suite shall strive to promote the welfare of the people by securing and protecting as effectively as it mav a 

social order m which |uslicc. social, economic and poliliial, shall inform all the institutions of the national life 

(2) The Slate shall, in particular, strive to minimise the inequalities in income, and endeavour to eliminate 
Inequalities in status, facilities and opportunities, not only amongst individuals but also amongst groups of 

people raiding in different areas or engaged nidiffcrcntvocations. 
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o To verily the identity of any person at the time of the provision of information, the issuance of 

a unique identity number or at any other time per the UIDAI database or other possible 
means, as laid do w n in rules prescribed by the KID At. 

o To permit the UIDAI to set up or facilitate the infrastructure by which third parties can 
authenticate the identity of persons who have provided information to the UIDAI and the 
circumstances and conditions they can seek such verification. The information on the 
database will be used only to authenticate identity. 

o To establish or appoint a Central ID Data Repository (Cl DR) for the purposes of collecting, 
managingand securing the database and to outsource any such functions. 

o To permit the appointment of Regi.su ars in accordance with criteria laid down by the UIDAI 
to enrol people that s*»ck unique identity numbers directly or indirectly through enrolling 
agencies. 

o To allow for the ap;>ointme.n of other service providers in accordance with criteria laid 
down by the UIDAI, as the UIDaI may deem fit to further its objectives and to ensure 
efficiency. 

o To call for information and records, conduct inspections, inquiries and audit of the CIDR, 
Regislrars,enrolling agencies anti service providers.. 

o To enter into all necessary contracts and arrangements in order to fulfill the objectives of the 

UIDAI. 

* 

o To setup mechanisms (orgrievance rodrcssal for Ihc public 

o To set up a monitoring framework to improve implementation, create safeguards as required 

and study die impact of the U1D 

o To hire the necessary technical and professional personnel necessary for executing the 
mandate and fulfill the objectives of the UIDAI. 

The law will also contain 

o Penal provisions against persons employed by, or associated directly or indirectly with, the 
CIDR, Registrars, enrolling agencies and other seivice providers for failing to comply with 
the directions issued under the Act 

o Penal provisions against persons employed by, or associated directly or indirectly with the 
UIDAI, CIDR, Registrars, eni oiling agencies and other service providers for breach of certain 
key sections of the legislation - including the specific prohibitions on profiling, the disclosure 
of information and maintenance of confidentiality etc. 


o Penal provision for persons who intentionally or fraudulently provide wrong information, 
attempt to obtain a second unique identity number, steal the identity of any living or dead 
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person, etc in this context, there will be no liability on the part oi the UIDAI or persons 
employed by, or associated directly or indirectly with the UIDAI, CIDR, Registrars, enrolling 
agencies and other sendee providers for providing a unique identity number to a person who 
intentionally or fra u dui en tiy o b ta i ns such nu n;ber. 


Protecting privacy and confidentiality 


The information that the UIDAI is seeking is already available with several agencies (public and 
private) in the country, the additional information being sought by the UIDAI are the fingerprints 
and iris scans. However, the UIDAI recognizes that the right ot privacy must be protected, and that 


people are sensitive to the idea of giving out their personal information, particularly the idea of 
information being stored *n a c entral database to be used for authentication. UIDAI will protect the 
right to privacy of the person seeking the unique identity number. The information on the 
database wH be used only to authenticate identity. Necessary provisions would be in place m 
address the issues of privacy and confidcnUaiuy. 


Offences under the UIDAI Act 

The U1D database will be susceptible to attacks and leaks at various levels. The UIDAI muse nave 
enough teeth to be able to address and deal with these issues effectively.! twill b p an offence under 
the UIDAI Act to engage in the following activities: 

• Unauthorized disclosure of informal ion by anyone in the UIDAI, Registrar or the Enrolling 
agency 

• Disclosure of information violating the protocols set in place by the UIDAI 

• Sharing any of the data on the database with anyone. 

• Engaging in or facilitatinganalysisol the data lor anyone. 

© Engaging in o r facilitating profiling of any nature for anyone or providing information for 
profiling of any nature for anyon e. 

• AH offences under the Information Technology Act shall be deemed to be offences under the 
UIDAI ifdirccted against the UIDAI or its database. 


( 
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Data Security and Fraud 




6.1 Protecting personal information of residents 

Even as the UIDAI stores resident information and confirms identity to authenticating agencies, it 
w:!l have to ensure the security and privacy ofsuch information. 

By linking an individual’s personal, identifying information lo a UID, the UIDAI will be creating a 
transaction identity for each resident that is both verified and reliable. This means that the 
resident’s identity will possess value, and enable the transfer of money and resources. 

The UIDAI envisions storing basic personal information, as well as certain biometrics. However, 
limiting ics scope to this, and not linking this information to fmaneiai/otber netails does notmake 
the lesident records in the database non-sensitive. Biometric information for example, is often 
linked to banking, social security and passport records. Basic personal information such as date of 
■birUiis used to verify owners of credit card/bank accounts and online accounts. Such information 
will therefore, have to be protected. Loss of this information risks the resident's financial and other 
assets, as well as reputation, when live i es>dent is a victim of identity theft. 

In the federated system that the UIDAI envisions, we must consequently have processes in place to 
ensurea fair level of data seem tty. 
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6.2 Fraud scenarios 
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Seme of the potential fraud scenariosarc: 


Scenario 

Person applies fora HI L> number 
and prcsenls wrong information 
under their name. 

Person applies logcl a second 
card in anotlier name. 


Person appears as himself, 
and applies for a second 
UID number. 

Person appears as another 
existing person, registering 
the second person's information 

under his fingerprint. 

• 

Impersonation of a deceased 
individual, with fake supporting 
documents. 


De-duplication works incorrectly 
and returns false positive for 
a new UID applicant. 


Response 

I he verification piocess returns application to 
Llicapplicantand presents the rcasonsfor not 
issuing number 


I Application returned, with reason provided 

If person's name wasfraudulent the first time, 

he has the option of applying to change his 
demographic fields, if this fraud is attempicd again, 
I person is added to watch list/ legal action. 

1 ——-•— — _____ _ _. 

I Application returned, with reason provided, 
j (("attempted more than three times person 
added to watch list. 


The victim can report identity theft to the UIDAI's 
grievance office. The UIDAI will undertake an 
investigation, and take appropriate action if theft 
is confirmed. 

If the applicant passes the verification process, 

Uicn he may be able to take cn the slolcn identity. 

However, he will not be aide to change his demographic 
fie.ds over his lifetime wii houtdue process. 

Pei son can request check against face biometrics 
as well as re-verification by Registrar. 
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Technology architecture of the U1DAI 
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Tit- technical architecture of the UIDAI is at this point, based on high-level assumptions. The 
architecture has been structured to ensure clear data verification, authentication and de- 
dupl&ation, while cnsunuga high level of privacy and information security. 

7 1 System architecture 


TheCencrai ID Data Repository will he the central database of all residents, containing the minimal 
set of fields sufficient to confirm identify. The federated set of databases belonging to the 
Registrars may contain additional information about the resident, and can use die l esident's UID 
as tiie key. 
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The key technology components of the UID system are 

• TJie UfD Server, which provides the enrolment and the authentication service. These 
services will be available over ihc network for the various Registrars and their 
authenticating agencies to use. The backend servers need to be architected for the high 
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demands of the 1:N biomclnc dc-dup!ica(ion 
authentication requests. 


as well as the large peak loads from 


The Biometric sub-system is central to the UID system for enrolling as well as 
authenticating residents. It is likely that a intilu-nicdal biometric solution will be used to 
achieve a hign level of assurance. The 1:N de-duplication envisioned will be by far the most 
computing-intensive operation of the UID system, innovative techniques of hashing, 
indexing, distributed piocessing, and in-memory databases using multiple-biometric- 
modes need to be employed to get acceptable performance. 


The Enrolment client application will capture and validate demographic and biometnc 
data, this client needs to woik in an offline mode in the village setting when there is no 
internet connectivity, and upload batch files to the server for processing. Alternatively the 
batch files can be physically transported to the CIDR for uploading The client application 
will be deployed on a standard enrolment workstation. 


The Network is a critical aspect of the system, since all UID enrohnent and authentication 
services will be available online. UID services could work over secure WAN networks, the 


vanilla internet or over mobile SMS channels. It could also potentially work over existing 
networks such as credit-card POS (point-of-scrvicc) devices. 


The Security design secures all the above components from logical/physical attack. This 
includes. 


o Server Security - firewall, intrusion prevention and detection systems (IPS, IDS) 
o Network, ClicnfSccurilv - Encryption, PK! etc 

The Administration system will help administer the UlDAI's opera cions. This includes 

o Account setup •• cication/modilication ol Registrar, enrolling and authenticating 
agency account s 


u Role based access contiol - Assign rights over UID resources based on role, 
o Audit trailing - track every access to the UID system. 

o Fraud detection - detect identity theftand cyber crimes using audittrails 

Reporting and Analytics - Visual decision support tools - GIS, Charting etc. 


o 
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Project Execution 
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One of the unique challenges in executing the U1D project is its scale. Due to the size of India's 
population, the UIDAI is undertaking what is perhaps the largest governance-related exercise in 
the world. We must ensure that ah aspects of the project - enrolment, de-duplication, and 
authentication - function effectively even as the number of records approaches a billion 

8.1 Addrcssmgehalleugesoi scale 

ThciHDAJ can expect its enrolment run-rate to have a peak load 01 one million enrolments pei day 
in *he very first year ofoperation. Every sub-system and component of the UID system will need to 
scale quickly and significantly. This will include. 

1) The ability to onboard kcgisn arc (rom different sectors and handle their constituencies ol 
residents. 

2) The legal framework of con traces needs to support the variety and spread of stakeholders as 
their numbers grow exponentially across the country. 

3) The biometric de-duplication algorithm needs to scale towards checking a fingerprint 
againslevcry oncol 1.2 billion people to ensure uniqueness. 

4) The auihonlieating service, winch may be used by tens ol thousands of points across the 
country, needs to scale to handle Hundreds of thousandsof transactions per second. 
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The UID project docs face certain risks in its implementation, which have to be addressed through 
its architecture and the design of its incentives. So me of these risks include: 


1) 


2 ) 


3) 


Adoption risks: There will have to be sufficient, early demand from residents for the UID 
number. Without enlxui mass among key demographic groups (the rarJ ana the poor] the 
number will not be successful in the longterm. To ensure this, the UID/M will have to model 

dc-duplication and authentication to be both effective and viable for participating agencies 
and service providers. 

Political risks: The UID project will require support from state governments across India. 
The project wiil also require sufficient suppoi t from individual government departments, 

especially in linking public services to the UID, and from service providers joining as 
Registrars. 

Enrolment risks: The project will have to he carefully designed to address risks of low 
enrolment - such as creating sufficient touch points in rural areas, enabling and motivating 
Registrars, ensuring that documentary requirements don't derail enrolment in 
disadvantaged communities - as ^ veil as managing difficulties in addrcs c verification, nam 
standards, iackofinformation on date ofbirth, and hard to record fingerprints. 


e 


4) 


Risks of scale: The project will have to handle records ihat approach one billion in number. 
This creates significant risks in biometric dc-duplication as well as in administration, 
storage,aud continued expansion ofinfiasti ucture. 



Technology risks: Technology is a key part of the UID program, and this is the first time in 
the world that storage, authentication and de-duplication of biometrics are being attempted 


on this scale. The authority will have to address the risks carefully - by choosing the right 


technology in the architecture, biometrics, and data management tools; managing 
obsolescence and data quality; designing the transaction services model and innovating 


towards the bestpossible result. 


6) Privacy and security risks: The U1DAI will have to ensure that resident data is not shared or 
compromised. 

7) Sustainability risks: The economic model (or the UIDA1 will have to be designed to be 
sustainable in the long-term, and ensure that the project can adhere to the standards 
mandated by the Authority. 
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UID-enabled micro-payment architecture 


This section discusses one of the potential applications o( the UID - the use of the number in 

driving financial inclusion, and in enabling a micropayments solution that the poor can use to 
access financial services. 

While the demand for financial inclusion lias gained urgency over the last fewyears. initiatives in 

India to expand financial infrastructure date back several decades, since the building of rural 

cooperative credit banks in the 1950s, and the spread ol bank networks in the 1970s and 1980s 

These initiatives have paid oft over the years - India's bank branches are well-networked 
particularly across urban India 

8ut despite these efforts, access to fi nance has remained scarce in rural India, and for the poorest 

residents in the country. Today, tin ■proportioned rural residents who lack access to bank accounts 

remains at 40%, and this rises to over three-fifths of the population in the east and north east of 
India. 

This exclusion is unfortunate. Econonncopportunity is after all, intertwined with financial access. 

Such financial access is especially valuable foi the pool- — it offers a cushion to a group whose 

incomes are often volatile and small. It gives them opportunities to build savings, insure 

themselves against income shocks and make investments. Such savings and insurance protect the 

poor against potentially rtunousevents - illness, lossofemploymont, droughts.and crop failures. 

Howeverdue to the lack of access to financial services, many of the Indian poor face difficulties in 
accumulating savings. 

To mitigate the lack ol financial access in India, the RBI iias iodised on improving the reach of 
financial services in new and innovative ways - through no-frills accounts, the liberal ration of 
Banking and ATM policies, and branchless banking with business correspondenls2 (BCJ, which 
enables local intermediaries such as self-help groups, post offices and kirana stores to provide 
banking services. These efforts have also included the promotion of core-banking solutions in 
regional rural banks; and tile incorporation of the National Payment Corporation of India InlPCI] 
as an apex switch, for paymen Is and settlements. 

In recent years, ATM and core banking as well as greater mobile connectivity have also become 

two powerful engines ol financial access. Mobile phones in particular present an enormous 

opportunity in spreading financial services across India. These technologies have reduced the 

need for banks to be physically close to their customers, and banks have been consequently able to 

experiment with providing services through online as well as mobile hanking. These options, in 

addition to ATMs, have made banking accessible and affordable for many urban non-poor 
residents across the coun try. 



ijimjuc Identification Authority of india 40 

Strategy Overview 


With the poor however, banks face a fundamental challenge that limits the success of these 
technologies and recent banking innovations. The lack of clear identity documentation for the 
poor creates substantial difficulties in establishing their identity to banks. This has limited the 
extent to which we can leverage online and mobile banking to reach these communities. 

Besides challenges in access and identity, a third limitation has been the cost of providing banking 
services for the poor. The poor have unique preferences when it comes to withdrawing money and 
making deposits — they prefer to do large numbers of small transactions, in 'mimopaymems - of 
say. Rs.10 rather than Rs.100. Banks discourage such payments, as transaction costs unocr this 
model would be too high to oeai. T he Unique Identification number (UID), which identifies 
individuals uniquely on the basis of their demographic inlormation and biometrics, gives 
individuals the means to dearly establish their identity to public and private agencies across the 
country. It also creates an opportunity to address the existing limitations in financial inclusion. 
The Ui D, once it's linked to r. bank account,can help poor residents easily establish their identity to 
banking institutions. As a .csuU, the UID enables banking institutions to bring togclhci .he 
infrastructure that now exists in order to build an accessible, low-cost micropayments model 

Since the UID enables remote authentication of identity, it empowers toe poor in making 
electronic transactions in small, micro-amounts, remotely and at low-cost, through BC netwoiks 
connected by mobile phon-s. The model would thus be accessible and affordable across the 
country. Such a UID-cn?blcd micropaymcnls approach can bring about universal financial access 
for the poor — they would be able to access their accounts or the move, wherever they aie, 
through any mobile phono, from any bC or bank. The UID-cnabJed bank account dm thus be a 
global address for residents, similar to an emad id or a mobile phone number. 

Over the last few years, wc have seen critical reforms implemented towards creating a payments 
solution for the poor. The DID number helps integrate these reforms and leverage the technology 
already in place into an effective micropaymcnls solution. This can bring low-cost access to 
financial services to everyone, a short distance from then’homes. 

10.1 Features of I'lD-omnb’.ed micropayments 

UID KYR sufficient for KVC: Banks in India are required to follow customer identification 
procedures while opening new accounts, to reduce the risk of fraud and money laundering. The 
strong authentication that the UID offers, combined with its KYR standards, could remove the 
need for such individual KYC by banking institutions for basic, no frills accounts, it will thus vastly 
reduce the documentation the poor are required to produce for a bank account, and significantly 

bringdown KYC costs for banks. 

Electronic transactions: The UID's authentication processes will allow banking institutions to 
verify poor residents both in person and remotely. Rural residents will be able to transact 
electronically with each other as well as with individuals and firms outside the village, reducing 

their dependence on cash. 
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Ubiquitous BC network and BC choice: The llID's clear authentication and verification 
processes will allow banking institutions to network with village-based BCs such as self-help 
groups, post offices and Idrana stores. Customers will be able to withdraw money and make 
deposit at the local BC. Multiple BCs at the local level will also give customers a choice of BCs. This 
would make customers, particularly in villages, less vulnerable to local power structures, and 
lower the risk of being exploited by BCs. 

A high-volume, low-cost revenue approach: The UID wiU mitigate the high customer 
acquisition costs, high transaction costs and fixed IT costs that we now lace in bringing bank 
accounts to the poor. 

No-frills accounts that'vm be provided and accessed at low cost through local Bcs, with electronic 
cash transfers, would encourage large numbers of small transactions auoss these accounts, and 
make diese accounts an important source of revenue for banks. 

10,2 Benefits 

For resident's: The UID-enabled Bank Account (UEBA) wifi bring financial access and 
affordability to millions of residents who are presently excluded from formal financial systems. A 
UID-enabled bank account will also help residents make cheaper, faster electronic transactions 
and remittances in die foi m of nuci opayments. The solution will enable universal access to their 
account from any bank or BC, amt through any mobile device, enabling residents to access 
payments on the move, Iteguiai. affoidable access to banking services would also give the poor a 
means of keeping their money sale — a convenience that has long been available to ihe middle 
class would now be accessible to the rural and tub an poor. 

For the government: Large-scale unancial inclusion can pave the way For electronic benefit 
transfers (EBls) for residents. Central and state governments will be able to eliminate the 
identity-related fiaud that exists within its public programs with such transfers going into UID- 
enabled bank accounts. The bulkof the informal cash economy across rural India, and remittances 
between urban and rural India will also become part of the formal banking system, with traceable 
and accountable money flows. This will ensure compliance with Anti-Money Laundering laws and 
Financial Action Task Foi cs standards The government will gain these benefits without having to 
overhaul governance systems — the micropaymenis approach won't require governments to 
changedecision-makingprocessesacrossthecentral,stateandlocallevel. 

For banking institutions: The use o{ the central payments switch to move cash electronically at 
the last mile will dramatically cut down on cash handling and transaction costs for banking 
institutions. The cost of customer acquisition would also be significantly reduced, as a resident 
with a UID would require no further identification to get a UID-enabled bank account. 

A low-cost micropayment approach will make the large volume of micropayments, remittances 
and government transfeis to UID-enabled bank accounts important sources of revenue for 
banking institutions. Through the BC network, banks would be able to access customers through 
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the large distribution channels in the country — including the mobile prepaid network, postoifice 
networkand FMCG retailers. In addition, BCs would see increased revenues from larger numbers 
of micro-transactions. 

10.3 Conclusion 

Over the last decade, we have seen a transformation in financial access for residents across the 
country — the reforms that encouraged the expansion o( ATM, internet and mob'Ie banking have 
made financial access affordable and accessible for large numbers of residents 

The transformation however, ha* been most significant for India s urban, non-pooi icsideuts. 
These policies have not addressed the unique challenges the poor lace in financial access, and they 
consequently, remain at the periphery when itcomes toeffective accesstofinance. 

The UID-enaMed micropayments solution is just on? of the many developmental applications that 
the UID number can enable, it is also a critically important application, which can help aadress 
India’s financial divide. Linking the UID numhei to a universal, accessible, and affordable 
micropaymcnts model can l runs form the access the poor have to banking services in the counti y. 

UID-enabled micropaymenls can be a stepping stone to creating economic opportunities foi 
residents across the country, regardless of where they live. The financial inclusion that it makes 
possible will be critical to improving access for the poor to resources and skills. As we move 
towards an open access society, it is this soft infrastructure — connectivity, financial inclusion, and 
identity—that will ultimately, empower the individual m india. 





1 








DID for Dummies 

Suni Chacko and Pratiksha Khanduri* 


Augusl 2011 

Released on Kufi/u on 12 September 2011 




introduction 

A. UID: The Basics 

B. The Enrolment Process 

C. Benefits of UID 

D. Concerns: Biometrics, Privacy, Data security, Surveillance 

E. UID and Other Databases 

F. Similar Initiatives across the World 
Endnote 

References 

Appendix 1: Valid Identification Documents 

Appendix 2: ID Systems and Debates across the World 
Notes 


* The authors are graduate students at Jawah&rlal Nehru University (WU, New Delhi) and the Delhi 

School of Economics respectively (contact address: uidfoKluremies@gmail.com). We thank Reetika 
Khera and Jean Dreze for theu-useful inputs and insightful comments. 

0 








^ -4- 








- •* ■*- 





It* »v 




- -- 1 *? 


>* «•*- t 

K l Jpf& 




*' ^ 


4 * 

'X* 




V • 


-' “3? 






t 


t* 


► 

x 

-V J> 

•v 




nr - 


* 4 . 










- *Tt>**- « 







INTRODUCTION 

The Government ol India has embarked upon an ambitious exeicise to provide a "unique 
identification*' (01 UID) numbei to every resident of the country. Each number is to be 
connected with three types of biometnc data: ins scans, fingerprints (all ten fingers) and a 
picture of the face. 

UID, it is claimed, will act as a useful identification facility and help the government to root 
out corruption from social progiamines The pioject was flagged off with lightening speed in 
September 2010, when the first residents weie "enrolled" undei UID in Tembhali village, 
Maharashtra. Since then, no effort has been spared to attract people to enrolment centres. 

This urgency in enrolling people has led to a series of misinformed assumptions. 
Misconceptions range from iris scans being taken for an ‘eye test* to fear of ration cards being 
taken away from those who didn't participate in this 'photography*. 1 Ranjana, the woman who 
made headlines in September 2010 for being the first person to get a UID number, was in the 
news again recently after complaining that the number was useless - she had tried to get a 
travel concession with it on the bus! The conductor bluntly told her to "dump the card in a 
dustbin". 2 The authorities are not able to clarify these misconceptions because their attention 
is focused oil meeting the enrolment targets. 

Meanwhile, the UID project has raised many questions related for instance to privacy, civil 
liberties, financial costs, and even technical feasibility. Even the Planning Commission is 
concerned that disquieting "test results" of the UID project have been ignored. 3 Tall claims 
that UID will enable better management of welfare schemes like NRJEGA and the PDS have 
also begun to be questioned. Behind all this, there is a larger question - is there more to UID 
than meets the eye? 

Despite these major concerns, there has been scarce public discussion about key aspects of 
the UID project. Viewing some of the media coverage that UID has got, it gives a sense of 
disproportion in the nature of reportage - a bit congratulatory, little depth and few questions 
asked. This inadequate probing and questioning has led to a lack of understanding within the 
general population about UID. With that thought, this primer seeks to shed some light on 
various aspects of this project and answer some frequently asked questions. 

The primer relies on official documents (such as the UIDAI's ‘'Strategic Overview”, 
“Handbook for Registrars 1 ’, “UID and Public Health” paper, etc) as far as the official side of 
the picture is concerned. This is complemented with other publicly available material, e.g. 
newspaper articles, reports, interviews, public lectures, websites, etc. As you read on, you 

will see that on many key aspects of UID, accurate information is not easy to find - we done 
our best with the material available. 


I 



A. UID: The Busies 


Q. 1. What is UID? 

UID is a “unique identification” number that is to be assigned to every resident of India - one 
person, one numbei. This number, aside from being unique for each person, can be verified 
li-orn his or her fingerprints it is a little bit like an identity card (or a voter ID) that no-one 

can lose, steal, forge, or duplicate. What purpose the UID is supposed to serve will be 
discussed fui thei on. 

Q. 2. What about UIDAI? 

UIDAI (the Unique Identification Authority of India) is the authority that has been created to 
issue UID numbers. It was set up in January 2009, by an executive order, not a legislative 
measure such as an Act of Parliament, under the wings of the Planning Commission. The 
stated goal of the UIDAI is to “issue a unique identification number (UID) to all Indian 
residents that is (a) robust enough to eliminate duplicate and lake identities, and (b) can be 
verified and authenticated in an easy, cost-effective way” 4 Detailed information about 
UIDAI is available on the Authority's website (http://uidai.gov.in). 


Q. 3, Is there a law governing the functioning of UIDAI? 


Not yet. The National Identification Authority of India Bill 2010 (hereafter “NIAI Bill”), 
tabled recently in tlie Rajya Sabha, seeks to create a legal framework for UID. 5 If and when 
the Bill is passed, UIDAI will become a permanent stamtory body, renamed National 
Identification Authority of India (NIAI). The law will also stipulate rules, regulations, 
piocesses and protocols to be followed by different agencies partnering with NIAI. 
Meanwhile, the UID process is already in full swing, without any legal framework. 

Q. 4. On what grounds do we need a UID? 


UID is supposed to act as an all-purpose, fool-proof identification device. This could help, for 
instance, in preventing “identity fraud” (like impersonation, when someone pretends to be 
someone else), and in facilitating all processes that require identifying oneself - such as 
opening a bank account or applying for a passport 


According to the UIDAI’s “Strategy Overview” document, in India “inability to prove one’s 
identity is one of the biggest barriers preventing the poor from accessing benefits and 
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subsidies,” The document goes on io state ‘‘‘But till date, there remains no nationally 
accepted, verified identity number that both residents and agencies can use with ease and 
confidence As a result, every time an individual tries to access a benefit or seivice, they must 
undergo a full cycle of identity verification. Different service pioviders also often have 
different lequirements in the documents they demand, the fotms that lequire filling out, and 
the information they collect on the individual." 6 

So, the UID project was initiated on the apparent premise that the poor faced great hurdles in 
accessing benefits and subsidies due to the inability to provide proof of their identity. This 
problem was always there. It is interesting that it is being ‘"discovered” now, just when a 
readymade “solution” is in hand. There are, of course, more fundamental reasons why poor 
people are often excluded from public services and programmes - including the nature of 
power structures, which tend to be reinforced by projects like UID. 

Some healthy scepticism, then, is in order here, especially since there are other views of the 
real purpose of UID. According to some, for instance, the initial purpose (under the NDA 
government) was “to wash out the aliens and unauthorized people. But the focus appears to 
be shifting... Now, it is now being projected as a development-oriented initiative, lest it ruffle 
any feathers. People would be unwilling to give up their right to privacy." 7 This is not a 
human rights activist speaking - it is A.K. Doval, former Intelligence Bureau Chief. And he 
would know. 


It is unlikely that the UPA government would want to be caught on the back foot promoting a 
surveillance programme initiated by the NDA government And so begins the consistent 
effort to manoeuvre and position UID as an unavoidable solution for deep social problems 
and systemic challenges. 

Q. 5. What is “Aadhaar”? 


"Aadhaar" is another name for UID - a sort of "brand name" for the UID project. In Hindi, 
aadhaar means “foundation” - nothing less! 

Q. 6. Does getting a UID number entail getting a card? 

It's a common misconception that getting a UID number means having a legit card with the 
number. This is not the case. According to some sources, all you get is a UID number on a 
sheet of paper with personal details. However, various government agencies may or may not, 
subsequently, issue smart cards using the UID*data. 8 
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Q. 7, Who is in charge of UIDAI? 





On 2nd July 2009, the Government of India appointed Mr Nandan Nilekani as Chairman of 
UIDAi, with the rank and status of a Cab met Minister, foi an initial tenure of five years. 
Further, the “Prime Minister's Council of UIDAI Authority of India”, set up on 30 July 2009, 
is to ‘"advise the UIDAI on programme, methodology and implementation to ensure co¬ 
ordination between Ministries/Departments, stakeholders and partners 15 The first meeting of 
the Council took place on 12 August 2009” 

Q. 8. What is the timeline for this project? 

The timeline for this project has changed a few times. Initially, the target was to start in 
August 2009. However, this was delayed. The first set of numbers were issued on 29 
September 2010, when the UID project was officially flagged off by Prime Minister 
Manmohan Singh and Congress President Sonia Gandhi in Tembhali village, in 
Maharashtra’s Nandurbar district. The programme plans to provide UID numbers to 600 
million people (about half of India’s population) in the next four years. 

However, progress has been slow. By July 2011 (almost a full year after the project was 
launched), about 25 million people - 2 per cent of the population - had been enrolled tinder 
UID. Most of the enrolment happened in just three states: Andhra Pradesh, Maharashtra and 
Karnataka. 9 Having said this, monthly enrolment figures are now growing rapidly. 

Q. 9. What is the UID project expected to cost? 

There does not seem to be much clarity on this crucial question. According to some reports, 
the cost of UID enrolment lias risen from Rs 31 per person to somewhere between Rs 450 
and Rs 500 per person. By this estimate, this entire exercise will end up costing close to Rs 
1,50,000 crores.' 0 

Late last year, at a public meeting, Mr. Nilekani stated that the per person enrolment cost is 
approximately Rs 100. JI “It costs the Unique Identification Authority of India (UIDAI) 
Rs.100 to generate each aadhaar number, which will help address the challenges of 
inclusion,” said Nilekani. Even this is an incomplete answer, because several other agencies 
are also incurring a cost to enrol each person. Because of the way the system of issuing 
numbers is set up (see below), there is no transparent way to calculate the cost of this project. 

According to the Budget documents, Rs 100 crores was approved in 2009-2010 to fund the 

♦ 

agency for its first year of existence. This shot up to Rs 1,900 crores in 2010-11. According 
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to columnist Pratul Bidwai, the Planning Commission is allocating Rs 35,000-45,000 ciores 
over the next five yeais - to cover only half the population 

There are also reports that the fund allocation for the fust phase is about Rs 3,000 crores. It is 
a bit worrying that the public can find out about the U1D only m phases. 

Q, 10. Is your U1D number a proof of citizenship? 

No. Since it is not restricted to Indian citizens, and is meant for all lesidents ot India, the U1D 
number is no proof of citizenship. 




Q. 11. Is it compulsory to enrol under U1D? 

“Yes and no” seems to be the answer. The U1DAI claims that UID is a “voluntary facility - 
no one is obliged to enrol. However, government agencies are tree to make UID compulsory 
for their own purposes. For instance, nothing prevents the government from requiring 
NREGA workers to have a UID number in order to get paid. So life without a UID number 
may end up being quite miserable very soon. As one commentator pointed out, 'This is like 
selling bottled water in a village after poisoning the well, and claiming that people are buying 
water voluntarily”. ‘ 

An important point to be noted is that UID’s assurance of casting out “ghost” beneficiaries in 
programmes like PDS or NREGA can work out only if there is compulsory enrolment, or else 
both systems of authentication (identity card and Aadhar-based) must coexist - in which case, 
people with multiple cards may prefer to stay out of the purview of UID. 

Q. 12. What if a person doesn’t have a UID number? 

The U1DA1 has been on a Memorandum of Understanding (MoU) signing spree with a range 
of agencies including banks, state governments and the Life Insurance Corporation of India 
(LIC) to be “Registrars”, who then may insist that their customers enrol on the UID to receive 

continued service. 


Clause 3 of the draft N1AI Bill, mentioned earlier, declares that “every resident shall be 
entitled to obtain” a UID number, but nowhere in the Bill is there a clause saying that no 
agency may refuse services to a person because they do not have such a number. Thus the 

field is wide open for compulsion. 
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(A quick aside: Even in the United States, privacy law categoneally states that the Fedeial, 
State oi government agencies cannot deny benefits to individuals who do not possess 01 
refuse to disclose their Social Security Number, unless specifically requited by law. 14 ) 


i 



B. The Enrolment Process 

> 

Q. 13. Who will issue the UID number? 

The enrolment process is a multi-step process described below The numbers will be issued 
through various agencies authorized by the UIDAI across the country, called “Registrars". 
The Registrars, in turn, typically sub-contract the enrolment work, to “enrolment agencies”. 

Q. 14. Who is a “Registrar”? 

According to the draft NIA1 Bill, “Registrar” means any entity authorized or recognized by 
the Authority (i.e. UIDAI/NIA1) for the puipose of enrolling individuals under the Act. 
Potential Registrars include government departments or agencies, public sector undertakings, 
and other agencies that interact with residents in the regular course of implementing their 
programmes or activities. Registrars include government, public sector and private sector 
organizations. For instance. Rural Development Departments (implementing NREGA), Civil 
Supplies Departments (implementing the PDS), insurance companies such as Life Insurance 
Corporation, and banks are some of the Registrars currently working on UID enrolment. 

So far, the UIDAI has mainly engaged with state governments, central ministries and public 
sector organizations. The UIDAI has entered into MoUs with state governments, who select 
the specific departments they would like to appoint as Registrars for the enrolment process. 

A Registrar is required to ensure the security and accuracy of data (particularly biometric 
data) collected from residents. The Registrar must retain the “Proof of ldentity/Proof of 
Address/Consent” for enrolment documents in proper custody for the time period defined in 
the guidelines issued by UIDAI. They will be held responsible for loss, unauthorized access 
or misuse of data in their custody. In case of enrolment-related disputes, the Registrar is 
required to cooperate with the Authority in resolving the matter and provide access to all 
necessary documents and evidence. As this biometric and demographic data will pass through 
many hands, the UIDAI will face no action if it fails to protect this sensitive data. If an 
individual parts with the necessary information, he/she will face penalties. What isn’t clear is 
how people will know if their data has been breached and privacy violated. 




Q. 15. What kind of information does one have to provide to get n U1D number? 



UIDAI expects all Registrars to collect the following information at the enrolment stage' 
Name 

Date of birth 
Gendei 

Father's/Husband's/ Guaidian's name and UID number (optional for adult residents) 
Mother's/ Wife's/ Guardian's name and UID number (optional foi adult residents) 
Introducer's name and UID number (in ease of lack of documents) 

Address 

All ten fingerprints, digital photograph and both iris scans 

In addition. Registrars inay collect other information for their own puiposes. For instance, if 
the Registrar is a bank, it could ask for your telephone number at the time of enrolment. 

Q. 16. What are acceptable identification documents for UID enrolment? 

The ‘‘Handbook for Registrars”, prepared by the UIDAI, lists documents that can be accepted 
as valid identity for UID enrolment, such as the ration card, FAN Card, Voter ID etc. (see 
Appendix 1 for full list). 

Those who do not have any of these documents can also apply for a UID number (Aadhaar). 
In such cases, authorised individuals, who already have an Aadhaai, can introduce residents 
who don't possess any of the requisite documents and certify their identity. Such persons are 
called “introducers”. 


Q.17. How does enrolment proceed? 



Enrolment is a three-step operation. First, applicants are enrolled by a Registrar or enrolment 
agency, after recording the information mentioned earlier (name, address, etc.) and collecting 
the biometrics - photographs, aLl 10 fingeiprints and iris scan. At present. Registrars have 
been instructed to enrol all persons above the age of five years. Second, the information so 
gathered is stored in a database called the Central Identities Data Repository (CIDR). Third, 
this repository is used for de-deplication and, later on, to provide authentication services. 




De-duplication will be done by the UIDAI, using the biometrics, to make sure that no-one 

♦ 

gets two UID numbers. The UIDAI will also issue the UID number to persons enrolled by 
Registrars. If any of the personal details (e.g. name and address) recorded at the time of 
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enrolment change, it is the lesponsibility of the concerned peison to 


alert UIDA1 so that the 


database can be updated — mote on this below. 


c 


Other types of identity cards already 

in use in India 

identteara ■ 

Concerned groups/recipients ’ . 

PAN Card 

Every person with taxable income 

Election Photo Identity Card 

Indian citizens above 1S 

Employee Provident Fund Org 

Employees in the formal sectoi 

Multi-Purpose National identity Card 

Citizens of India 

Rashtriya Swasthya Bima Yojana Card 

BPL families 

MGNREGA Job Card 

Rural residents aged 18 and above 

Driving Licence 

Citizens aged 18 and above 

Passport 

Citizens who travel abroad 

Ration Card 

Families eligible for PDS 


Q. 18. Will marginalised persons such as the homeless get a UID number? 


In principle, yes. To refer to the UID website, “the mandate of the Unique Identification 
Authority of India (UIDAI) includes taking special measures to ensure that Aadhaar rs made 
available to poor and marginalised sections of society, such as street/orphaned children, 
widows and other disadvantaged women, migrant workers, the homeless, senior citizens, 
nomadic communities including tribal, and the difterently-abled”. However, it is not as 
simple as it sounds. Recently, an NGO’s homeless shelters were shut down by the Delhi 
government after it pointed out flaws in UIDAl's registration of the homeless. The NGO, 
Indo Global Social Service Society (IGSSS), stopped the enrolment process of the homeless 
^ after they realized that there was no clarity on what the NGO’s liability would be. Not only 

were the homeless being registered at the NGO’s address, their volunteers were asked to be 
the “introducers”. After one of its employees got questioned by the police for the death of a 
homeless person because a survey slip was found in the deceased’s pocket, the NGO decided 
to seek detailed information about the programme from the government, but their queries 
were not answered.'* This story is also a useful reminder of the dangers of initiating UID 

enrolment without a clear legal framework. 
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C. Benefits of UID 


Q. 19. What are the claimed benefits ol enrolling under lilD? 

UID is supposed to act as a general identification facility. “Once residents enrol, they can use 
the number multiple times - they would be spared the hassle of repeatedly providing 
supporting identity documents each time they wish to access services such as obtaining a 
bank account, passport, driving license, and so on How useful this facility is (and 
whether it is itself hassle-ftee) remains to be seen. Aside from this, it is claimed that the UID 
project is a powerful tool to light corruption in welfare programmes, enhance inclusiveness in 
government schemes, and so on. Tall claims have been made, e.g., "the project possesses the 
power to eliminate financial exclusion, enhance accessibility, and uplift living standards for 
the majority poor." 18 Some of the specific areas where the benefits of UID are supposed to 
flow are the National Rural Employment Guarantee Act (NREGA), the Public Distribution 
System (PDS), public health, financial inclusion, etc. How this is supposed to happen is 
explained in a series of concept notes posted on the ULDAI website. Three ot these concept 
notes are critically discussed below. The intention is not to say that UID is necessarily 
useless, but to debunk exaggerated claims and point out that the real benefits are yet to be 

clearly identified. 

Before we proceed, it is worth noting that the UIDAI’s concern with welfare schemes like 
NREGA and the PDS is not entirely disinterested. There is a catch: imposing UID on welfare 
schemes is a way of promoting UID enrolment As one analyst (who is “working on the 
project but did not want to be identified”) put it, “the foremost priority for UIDAI right now 
is to get people hooked on to using its applications”. 19 Since NREGA and the PDS are some 
of the biggest welfare schemes, covering most of the rural population, it is no wonder that 
they were identified early on as potential channels of mass enrolment. Sometimes, it looks 
like UIDAI needs NREGA and the PDS more than the other way round. 

UID and NREGA: Claims and clarifications' 

Unsuspecting readers of the UIDAI’s concept note on “UID and NREGA” may be bowled 
overby the power of Aadhaar. 20 However, a closer look suggests that scepticism is in order. 



Muddled thinking "Once each citi 2 eu in a job card needs to provide his UID before 
claiming employment, the potential for ghost or fictitious beneficiaries is eliminated " 
Elimination of ghost beneficiaries would be an important contribution, but as the same 
sentence makes clear, it requires compulsoiy and univeisal emo]mem Yet public statements 
convey that UID enrolment will be voluntary 




Poorly informed "In many areas the wages continue to be paid m the form of cash.” In fact, 
the transition to bank payments is largely complete (83% of NREGA job card holders have 
an account) Tamil Nadu is the only “area” where wages continue to be paid in cash (retained 
for the sake of speed) ‘ The mtioduction of payments tlnough bank or post office accounts 
has made corruption quite difficult, but three ways of siphoning off money remain - extortion, 
collusion and fraud. Extortion means that when "inflated" wages are withdrawn by labourers 
from their account, the middleman turns extortionist and takes a share. Collusion occurs 
when the labourer and the middleman agree to share the inflated wages that are credited to 
the labour er’s account. Fraud means that middlemen open and operate accounts on behalf of 
labourers, and pay them cash. Biometric-enabled UID to authenticate identity can only help 
to prevent "fraud", but is of little use in preventing collusion or extortion. 


4 / 


Financial inclusion: Payment of NREGA wages through banks and post offices have been 
made mandatory since 2008. Transition from cash to bank or post-office payments is 
presently complete to a large extent. In fact, over 9 crore NREGA accounts (covering 83% of 
NREGA job card holders) were opened by 2009-10, without UID in the picture. 

What about corruption in material purchase: UID can address only some of the wage- 
related fraud in NREGA; it can do little about material-related corruption, a serious concern 
in recent years. 22 

Theft from beneficiaries: Benefits of the UID project are contingent on beneficiary 
verification at the point of service. Therefore delivery of service will depend o n functional 
bio metric equipment. This creates the following issues: (1) E very single point of service must 
be equipped with a biometric reader e.g., all NREGA work sites - there are about 600,000 and 
the simplest IMbllieilic readers cosF at least Rs 2,000 each. (2) Damage of biometric readers, 
due to normal wear and tear or other causes tinciudin^ possible sabotage), will disrupt service 
delivery. Any contingency measures that bypass biometric authentication will be vulnerable 
to fraud. (3) Corruption is rampant and requires comprehensive safeguards; a static single- 
point mechanism is likely to be unreliable in the medium to long-term. 

Disruptive potential: Last but not least, UID could easily disrupt NREGA's fragile 
processes. The UIDAI plans to involve "service providers'* who will enrol individuals for 
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UID. Later, they will be involved in authentication of workers at woiksites The result of such 
changes will be diastic for NILEGa Payments will come to a halt if workers are still waiting 
foi their Aadhai numbei. And “service piovideis” are all set to invade NRJEGA, outside the 
framework of the Act, without any safeguards 

Because of this potentially disruptive role of UID in NRJEGA, nearly 200 scholars and 
activists signed and ciiculated a petition called “Keep UID Out of NREGA! in December 
2010. 23 The concerns raised in that petition are yet to be answered. 

mil UID Fix the PDS? 

Similar reservations apply to the UlDAl’s concept note on “UID and PDS System”." 4 Again, 
tall claims are made without an adequate understanding of how the PDS works. 

Dealing with exclusion from social benefits: The UIDAI claims that the project can help to 
deal with the fact that many poor people do not benefit from government welfare schemes 
such as the PDS. The reason behind this, according to the UIDAI, is that people do not have 
an identity. However, in the case of the PDS, the two main reasons for the poor being 
excluded are that (a) the government is willing to provide subsidized food to too few people 
("low coverage") and (b) there is "misclassifieation" of households. This means that because 
the government's criteria for identifying the poor, and the implementation of these guidelines, 
are faulty, many poor families are excluded. UID can do nothing about these two problems. 



**-*’ 5 - 
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Bogus cards and de-duplication: One of the main claims is that UID will eliminate "bogus" 
cards. .The UIDAI seems to be unable to distinguish between the various types of bogus 
cards: (a) “ghost” cards, i e, where cards exist in the names of non-existent or deceased 
persons; (b) “duplicates” where one person or household, entitled to one card, manages to get 
more through unfair means; and (c) “misclassified” cards, when ineligible households or 
persons claim benefits (or, inclusion errors). The UID can help deal with the first two, but not 
the third type of bogus cards (on that see "classification errors" below). 


The next question then is, how large is the problem of "ghost" or "duplicate” cards. That 
question is not easy to answer. It is not clear how large the problem of duplicate or bogus 
BPL cards actually is. If the recent example of Tamil Nadu weeding out bogus cards is any 
evidence, then it is only 2% (Planning Commission, 2004). Chliattisgarh tried to achieve de- 
duplication by computerizing the database 6f ration card holders and distributing ration cards 
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with holograms, without lelying on UID Fight pei cent oi caids weie found to be 
"duplicate'* 


Further, the elimination of ghost and duplicate cards requires that UID enrolment be 
compulsory and universal This is best explained by Nandan Nilekam himself (in an 
interview to Outlook Business in October 2010): “You can’t make it mandatory m the first 
instance. Let’s say a particular state decides to issue fresh ration cards from 1 May 2011. 
Now, they may decide to have Aadhaar numbers on all these cards For some time, in parallel 
there will be the earlier cardholders who will not have Aadhaai. We can't completely 
eliminate duplication. But ovei tune, as Aadhaar numbers in ration cards become nearly 
universal, they can then say ‘from now onwards, only Aadhaar-based ration cards will be 
accepted’. At which point, duplication will cease to exist.” 


Classification errors: One of the major problems with the existing, targeted PDS is that of 
classification errors: many poor families are not identified as poor ("exclusion errors”) and 
better-off families often get the benefits ("inclusion errors"). According to Dreze and Khera 
(2010), nearly half of the poorest 20 percent did not have BPL cards in 2004-5. UID will not 
be able to correct this as it will only verify if the beneficiary exists and is unique. 
Consequently, the UJOD number won’t be able to solve the problem of misclassification. 




*Last mile” problem: Another common problem is that PDS dealers “short-change” their 
customers: they give them less than their entitlement, and make them “sign” for the full 
amount. Again, UID will be of little help here. If customers can be duped into signing (or 
giving their thumbprint) for more than what they are given, they can surely be convinced to 
give their UID number for the same purpose. 

j 

Upstream Leakages: A large part of the PDS leakages happen before the foodgrains reach 
the PDS dealer. For example, much of PDS grain used to be diverted between government 
godowns and the village ration shop. The UID project is not designed to deal with upstream 
leakages in the distribution and delivery systems. 

Portability: The UIDAI also makes a claim of “portability of benefits”, i e, that with a UID, 
beneficiaries can claim their benefits wherever they are. A PDS that allows beneficiaries to 
draw their rations from anywhere in the country would indeed be a desirable improvement 
over the present system. The portability argument is perhaps the most enticing aspect of the 
UID programme as fas as the PDS is concerned. However, this too is not very well thought 
through. Though the UID is portable, benefits may not be, because the latter present 
operational issues that cannot be solved by the UID. 
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A more plausible contribution of U1D to “PDS reform” is that it would facilitate the transition 
to cash transfers (instead of food entitlements), advocated by many economic advisets and 

^ S 

policy-makers This move, however, is itself fraught with dangeis.' 

UlD and Public Health 





A study by Oxford University holds that in India, more than a million people die every year 
due to lack of adequate liealthcaie. Also, 700 million people have no access to specialist care, 
as 80 per cent of the specialists live in urban areas. 26 

Against this background, the UIDAI shrewdly identified public health as a “killer 
application” (sic) for UID. As the UlDAl’s concept note on “UlD and Public Health” states: 
“Existing data bases would probably still leave a large percentage of the population 
uncovered. Therefore every citizen must have a strong incentive or a “killer application” to 
go and get herself a UID, which one could think of as a demand side pull. The demand and 
pull for this needs to be created de novo or fostered on existing platforms by the respective 
ministries. Helping various ministries visualise key applications that leverage existing 
government entitlement schemes such as die NREGA and PDS will (1) get their buy-in into 
the project (2) help them roll out mechanisms that generate the demand pull and (3) can 
inform a flexible and future-proof design for the UlD database, it will also build excitement 
and material support from the ministries for the UID project even as it gets off the ground.’* 27 
The game plan could hardly be more explicit. 

Mohan Rao, a professor at the Centre of Social Medicine and Community Health (JNU, New 
Delhi) articulated a scathing critique of UIDAPs lofty claims about uplifting the public health 
situation in the country. 28 



“The UID working paper on public health would have us believe that these changes occurred 
because of a lack of ‘demand* for healthcare, as it sets out what it calls a ‘killer application’ 
to provide citizens an incentive to obtain a UID card in order to meet health needs. This 
unfortunate language apart, the fact that we have not built a health system is hardly 
fortuitous. It is true that we do not have good quality health data or indeed even vital 
statistics; it is true that this should come from integrated routine health system and not ad-hoc 
surveys.” 






He asserts that UID is not devised to deal with the public health challenges of our country. 
“On the contrary, given that many diseases continue to bear a stigma in this country, the UID 
scheme has the unique potential of increasing stigma by breaching the anonymity of health 
data collected. It thus violates the heart of the medical encounter, namely confidentiality. By 
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making this information potentially available to employers and msmance companies, the 
scheme bodes furthei gross violations ol health lights ” 


Referring to the NGO leports about the Delhi government’s “Mission Convergence” scheme, 
under which biometric health insurance cards were issued to slum dwellers by which they 
could avail free treatment, Rao holds that there have been a lot of complaints about 
malfunctioning fiugeiprint readers, despite multiple swipes. He advises the Health Ministry 
to hold back on their support for UID until a conclusive study of the costs and risks of this 

project is undertaken. 


D. Concerns: Biometrics, Privacy, Data security. Surveillance 




Q. 20. What are biometrics? 

Biometrics is the science of identifying persons based on their physical (e.g. fingerprints) or 
behavioural (e.g. voice) traits. It builds on the fact that individuals are physically and 
behaviouraliy unique in many ways. Technically, biometrics has been defined by experts as 
“the automated recognition of individuals based on their behavioural and biological 
characteristics. It is a tool for establishing confidence that one is dealing with individuals who 
are already known (or not known)—and consequently that they belong to a group with certain 

rights (or to a group to be denied certain privileges).”* 

Post “9/11”, many countries have overhauled their surveillance mechanisms through 
legislations and technological upgrades, and subjected the public to scrutiny. When this 
revamp began, the use of biometrics came to be seen as inevitable. Fierce debates emerged, 
as opponents have raised strong arguments against intensive monitoring, profiling and 
invasion of privacy. Though some of these objections stem from exaggerated fears of being 
victimised by government agencies wielding excessive power, others are not unjustified. 

Q. 21. What are the technological concerns that face UID? 

a 

Many concerns have been expressed about the technological feasibility, reliability and safety 
of the UID project. Here are some. 


A recent NASSCOM document, prepared by Dr. Kamlesh Bajaj, points out that since the 
UID database has to be accessible over networks in real time, it involves major operational 
and security risks - as with any such applications. 30 If networks fail or become unavailable, 
the entire identification system may collapse. Biometric and other data may become a target 
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fo, hackers and other malicious entities “Such a system is also pi one to ftmction.il creep 
(secondary uses) and insider abuse There is also a significant nsk of transmitting b.ometric 
data over networks wheie they may be intercepted, copied, and actually tampered with, often 

without any detection” 

Another concern is the reliability of biometrics For instance, since iris development does not 
take place till the age of 7 years and children do not have sharp patterns of fingerprints till 
they are 15, giving children UID numbers is a huge challenge. Also, worn-out fingers of 
farmers and manual laboure.s will be difficult to scan, and an iris scan can't be done on 
people with comeal blindness or corneal scais Some experts also argue that manufacturers 
have not been able to put into practice a fingerprint system that can effectively distinguish 
human fingers and artificial fingers of silicon, rubber, acrylic, paint, etc. 

Aside from the costs of employing such a system, inclusive of not just the financial 
expenditure, but also of the time and effort it takes to enrol individuals and collect their 
-i, biometric data, 100% reliability in authentication can never be guaranteed. A large proportion 

of biometric trials have been conducted in the ‘frequent traveller" setting, among volunteers 
who are primarily white male professionals in the 20-55 age groups. 3 " Diverse conditions will 
throw up more challenges to such a system. 

Q. 22. Does UIDAI currently function under the purview of a law? 

Ironically enough, UIDAI has been on an enrolling spree since September 2010 without a law 
sanctioned by the Parliament. However, as we saw, the proposed NIAI Bill seeks to establish 
the National Identification Authority oflndia (NIAI) as a statutory authority and lay down 
rules, processes and safeguards concerning Aadhaar. The NIAI would consist of a 
c hair person and two part-time members. The bill also authorizes the creation of an Identity 
Review Committee, designed to monitor usage patterns of UID numbeis. 

The Bill states the date of the Act coming into force as being subject to its notification by the 
t, Central Government in the gazette once the Parliament passes it. Now what is problematic 

here is that the collection of biometric and personal data and issuing of UID cannot and do 
not have any statutory sanction until the bill is passed by Parliament. Demographic and 
biometric information to be recorded have been left to regulations, empowering the NIAI to 
collect additional information without prior approval from Parliament. 

Additionally, Clause 3(1) of the bill does not make it compulsory for individuals to enrol, but, 
as mentioned before, nothing prevents service providers or government agencies from 
positioning UID as a pre-requisite for availing services. 
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Biometrics: Reliable or Fallible? 

Over the years, biometrics are being us»ed more and more for a wide variety ol purposes, such 
as to “lecogmze individuals and regulate access to physical spaces, in formation, services, and 
to other rights or benefits, including the ability 10 cross international bordeis ” 

Here’s why biometric systems have a shaky base: 

• Variation within persons Biometric information may be affected by changes in age, 
environment, disease, stress, occupational factors, training and prompting, intentional 
alterations, socio-cultural aspects of the situation in which the presentation occurs, 
changes in human interface with the system, etc. 

■ Sensors* “Sensor age and calibration, how well the interface at any given time 
mitigates extraneous factors, and the sensitivity of sensor performance to variation in 
the ambient environment ^such as light levels) all can play a role.’ 

■ Feature extraction and matching algorithms. “Biometric characteristics cannot be 
directly compared but require stable and distinctive “features* to first be extracted 
from sensor outputs”. For example, every finger of an individual will generate a 
different image due to external factors such as dirt, moisture, etc. Therefore these 
multiple impressions from one finger can be matched by good algorithms to the 

correct finger source. 

• Data integrity: “Information may be degraded through legitimate data manipulation or 
transformation or degraded and/or corrupted owing to security breaches, 
mismanagement, inappropriate compression, or some other means *’ 

Also, social, cultural and legal factors come to have a bearing on such a system’s acceptance 
by its users, its performance, or whether a system like this should be adopted in the first place. 
Such factors need to be unequivocally taken into consideration while designing the system. 
That is to say, the effectiveness and accuracy of the system is contingent on user behaviour 
which in turn is shaped by the larger social, cultural and legal context. 

“When used in contexts where individuals are claiming enrolment or entitlement to a benefit, 
biometric systems could disenfranchise people who are unable to participate for physical, 
social, or cultural reasons. For these reasons, the use of biometrics— especially in applications 
driven by public policy, where the affected population may have little alternative to 
participation—merits careful oversight and public discussion to anticipate and minimize 
detrimental societal and individual effects and to avoid violating privacy and due process 

rights.” (p. 10) 

Another disquieting aspect of biometric systems is the potential for misuse of power. Many 
experts have suggested that such tea is must be addressed with all seriousness. 

Although biometric systems have penetrated many areas, like identifying tenorists, criminals, 
personalization of social services, better control of access to financial accounts, etc, yet, a 
number of unsettled questions remain regarding the effectiveness and management of systems 
for biometric recognition, as well as the appropriateness and societal impact of their use. It 
looks set to expand into more areas but the intrinsic concerns of such a system have clearly 
not been adequately addressed. Not even close. 

Source: Biometric Recognition: Challenges and Opportunities , Joseph N. Pato and Lynette I. 
Millett (eds.); Whither Biometrics Committee, National Research Council, 2010. 
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Though the information gatheied by the NIAI may be shared with other agencies with the 
consent of the UID number holder, in this bill, the safeguards foi protection of privacy of 
individuals are weak Under Clause 33 (b), the NIAI is leqiuied to disclose identity 
information m the interest of national security, if so directed by an authorised officer of the 
rank of Joint Secretary or above in the central government. The safeguard for piotection of 
privacy differ from the Supreme Coiut guidelines on telephone tapping; these permit phone 
tapping under threat of “public emergency” for a period of six months, while information 
gathered by UID can be shared in the interest of national security, offering no review 
mechanism. 

This leaves space for profiling and surveillance of individuals by intelligence agencies, as 
nothing in the bill prevents them from using the UID to “link” various databases (such as 
telephone records, air travel records, etc.). This kind of a system could lead to persecution of 
innocent individuals who may get tagged falsely as potential threats. 

As far as “Offences and Penalties” are concerned in this bill, it holds that no court shall 
acknowledge any offence except on a complaint made by the NIAI This effectively exempts 
NIAI of any public accountability. This heavy concentration of power in a single authority is 
alarming and raises grave doubts about just how transparent this system really is. 

Q. 23. How does UID impact privacy concerns in India? 

Internationally, there is growing concern about privacy and its protection. In India, however, 
paying lip service to this issue once in a while is as good as it gets. (Although in May 2000, 
the Indian government passed the Information Technology Act, a set of regulations meant to 

t 

provide a comprehensive regulatory environment for electronic commerce). 

Despite all assurances about protection of sensitive information on mass scale, it must be 
acknowledged that any database that stocks up such personal infonnation brings with it the 
risk of misuse by various agencies be it public or private, impinging on an individual's 
privacy. Even UIDAI chief Nandan Nilekani has conceded, on record, that the countiy 
needed well-defined privacy laws to prevent any malicious use of data. Regarding the 
possibility of data being misused, he said that the only service provided by the UIDAI was 
that of authentication. 

In the NIAI Bill, there are sketchy descriptions of offences like “intentionally” accessing the 
UID database and damaging, stealing, altering or disrupting the data. But it provides no 
means for a person whose data is stored to know that such an offence has been committed; 
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and it does not allow prosecution to be launched except on a complaint made by the authority 
or someone authorised by it 

So, given the lack of privacy laws in India, '"convergence” of the UID database with other 
systems could spell a lot of double 

A related danger is '‘tracking”. This stands to alter the relationship between the state and the 
citizen. With the integiation of databases, the state would have enormous power to track 
people’s movements and communications, or to profile them. 

Q. 24. Is there a redressal mechanism? 

* 

It is unclear as to how errors and inaccuracies in the UID database will be corrected as they 
emerge. Under the proposed NLAI Bill, if someone finds that his/her “identity information” is 
wrong, he/she is supposed to “request the Authority” to connect it, upon which the Authority 
“may, if it is satisfied, make such alteration as may be required”. So although there is a legal 
compulsion to alert the Authority, there’s no right to correction. 33 



E. UID and Other Databases 
Q. 25* What is NATGR1D? 

In a lecture he gave at the 22 ml Intelligence Bureau Centenary Endowment in December 
2009, Home Minister P. Chidambram announced that the central government had decided to 
create a National Intelligence Grid (NATGRID). “Under Natgrid, twenty-one sets of 
databases will be networked to achieve quick seamless and secure access to desired 
information for intelligence and enforcement agencies," he said. 34 Under this, the UID 
number of each individual will become the link between the different databases. These 
databases would be integrated with information available not just with government agencies 
and public sector, but also private organizations such as banks, insurance companies, stock 
exchanges, airlines, railways, telecom service providers, chemical vendors, etc. This would 
give security agencies the power to access sensitive personal information such as bank 
account details, market transactions, websites visited, credit card transactions etc. 

In the 2011-2012 budget, NATGRID got an allocation of Rs. 41 crores. With an estimated 
overall budget of Rs 2,800 crores and a staff of 300, NATGRID is supposed to be a “world- 
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class” measure for combating terronsm and dealing with internal secunty threats NATGRID 
is headed by Captain Raghu Raman, fonner Chief of Malnndia Special Services Gioup.” 

Telecom and internet service pioviders will be obligated by tegulations to link up their 
databases with NATGRID: “The databases so far identified for being linked in the grid 
include those of rail and air travel, phone calls, bank accounts, credit card transactions, 
passport and visa records, PAN cards, land and property records, automobile ownership and 
driving licences” In India, a citizen has virtually no legal protection against government 
surveillance. In a petition filed by People’s Union foi Civil Liberties (PUCL) in 1996, the 
Supreme Court ruled against arbitrary surveillance. This was overturned by Parliament with 
the passage of the Information Technology (Amendment) Act 2008. No political party raised 
any objections when the government passed this Act, which removed certain safeguards 
against surveillance. 

In a case pertaining to invasion of privacy, pending before the Delhi High Courr, the Court 
observed: “We have no clear definition of what is meant by ‘invasion of privacy* within the 
RTI Act.” 

Then in February 2010, the Cabinet Committee on Security expressed its reservations to the 
Home Ministry about protection of individuals’ privacy within NATGRID and its zealous 
goals, and held up its development till the ministry prepared a detailed report on “inbuilt 
safety mechanism.’* 36 

That wasn’t the only hiccup. Even Finance Minister Pranab Mukherjee adopted a cautious 
tone in a hand-written note addressed to NATGRID’s CEO, Raghu Raman. “Intrusion into 
privacy of the bank depositors is just not acceptable as it will discredit the banking system 
and the people will stall using other modes for securing their funds and cany on 
transactions," said Mukheijee. 37 This was a reaction to Raman’s efforts at giving directives to 
the Reserve Bank of India (RBI) to allow his organisation access to individual savings 
accounts through the district magistrates to identify the “terror money trail”. 

Q. 26. What is Crime and Criminal Tracking Network and Systems (CCTNS)? 

The Crime and Criminal Tracking Network and Systems (CCTNS), on the other hand, with 
an outlay of Rs 2,000 crores, aims at creating a comprehensive and integrated system for 
enhancing the efficiency and effectiveness of policing at the police station level through 
interlinking CCTNS with UID. It would facilitate exchange of data on criminals. Around 
20,000 police stations, courts, fingerprint bureaus, forensic laboratories etc., will be linked on 
a national databank, thereby helping people toTodge and track complaints on line. Linking of 
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ULD with such e-governance projects will lead to consolidation oi data and greater profiling 
by the state. 

Q. 27. What is the National Population Register (NPR) and how is it linked to UID? 

The arduous task of providing over a billion people with a UID number also overlaps with the 
mandatory Census of 2011, which will ultimately lead to the establishment of the National 
Population Register (NPR). The NPR project has not been initiated under the Census Act, 
1948. It is being earned out under the Citizenship Act of 1955 (after an amendment was 
made) and the Citizenship (Registration of Citizens and Issue of National Identity Cards) 
Rules 2003. 




After a cabinet meeting in March 2010, chaired by Prime Minister Manmohan Singh, the 
creation of NPR was approved “The project would cover an estimated population of 1.2 
billion and the total cost of the scheme is Rs 3,539.24 crores,” Information and Broadcasting 
Minister Ambika Soni told reporters. 38 She said the creation of a digital database with 
identity details of all individuals along with their photographs and finger biometrics “will 
result in the creation of a biometrics based identity system in the country... will enhance the 
efficacy of providing services to the residents under government schemes and programmes, 
improve the security scenario and check identity frauds in the country” 

Data for the NPR will be collected along with the house listing and housing census which 
started in April 2010, and was supposed to be completed by September 2010. The NPR 
database, on being finalized, is to be sent to the U1DA1 for biometric de-dupiieation and 
allocation of a UID number. “This number will be added to the NPR database,” Soni said 

Little is known about how the government plans to integrate UID with NPR. In the village of 
Tembhali, both were meant to work together in capturing biometrics. The Census Office (also 
known as the Registrar General of India) has been given the authority to collect the biometric 
data through an Act of Parliament. But the information recorded by the private enrolment 
agency working for UIDA1 is different from the details captured by the census enumerators. 
Unique identity numbers were meant to be issued by the agency based on the information 
recorded for NPR. This meant that while every Indian resident would have an NPR card and 
a UID number, the enrolment was meant to be carried out by the Census office . 

But for now it looks like the private registrars working on behalf of U1DAI do not have 
access to the digitised NPR information and have started the collection process again. In a 
recent report, it was found that in Sahada, a tehsil in Nandurbar (Maharashtra), the residents 
were being enrolled again even though they were the first recipients of UID cards in the 
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country last September Tera Software Limited, the regisuar in Sahada, has been collecting 
information which doesn’t match with the details collected by the census office While the 
census captured demographic data such as name, address, educational qualifications etc, the 
UID enrolment form has been asking residents to fill up information such as voter card 
number, PAN number, LPG connection number, etc 

Recently, UIDA1 put fonvard a request to the government for an additional Rs. 15,000 crores 
to enrol the population by capturing the biometric data by using its own agents. 
This means that if both Census and UIDA1 cany out their own enrolments, it would cost the 
government an additional Rs 10,000 to 40,000 crores.' 10 Also, while the UID is doling out 
incentives for people to register, NPR has no such plans. Because of this, states such as 
Rajasthan, Madhya Pradesh and Gujarat have opted out of NPR. While UIDAI has relied on 
209 registrars as part of its “outsourced service oriented” infrastructure, concerns have been 
raised about private enrolment agencies handling personal data such as bank account details. 

The risk of misuse gets greater as some of the enrolment agencies such as Alankit 
Assignments, Alankit Finsec and Alankit Lifecare have a stake in the healthcare and 
insurance sectors. Some private enrolment agencies such as Tera Software have been found 
sub-contracting the work to other firms without government approval. 41 A group of central 
public sector firms and the Department of Information Technology are responsible for 
capturing biometric data for NPR. Concerns were raised by the Standing Finance Committee 
of the Parliament for the Ministry of Planning about UIDAI collecting biometric data without 
any legal approval. 


There are critical arguments against such linking of data. Says law researcher and rights 
activist Usha Ramanathan: “There is an express provision regarding ‘’confidentiality’ in the 
Census Act, which is not merely missing in the Citizenship Act and Rules but there is an 


express objective of making the information available to the UIDAI for instance, which 


narks an important distinction between die two processes. Section. 15 of.,t^e,,Census Act, 
:ategorically makes the information that we give to the census agency ‘not open to inspection 


nor admissible in evidence’. The Census Act enables the collection of information so that the 

^ *42 

state has a profile of the population; it is expressly not to profile the individual.’ 


She continues, “The information gathered in the house-to-house survey, and the biometrics 
collected during the exercise, will be fed into the UID database. This will provide the bridge 
between the ‘silos’ of data that are already in existence, and which the NPR will also bring 
into being.” 
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And now to briefly turn to UK’s experience when the proposal of initiating a National ID 
system was in consideration It saw a multitude of arguments 1'iom civil society activists and 
the media about the issue. “The government wants to reassure us It says it’s mistworthy; it 
says there’s a lot of scattered data out them about us anyway - surely it’s just common sense 
to link it up? Yet security expens know that the linking and aggiegation ol detailed personal 
information on this gigantic scale will be unstable and dangeious to everyone, because of the 
depth of what it reveals, because of its secrecy and because it will present a vulnerable target 
for electronic attack, whether by hostile governments, by international terroiism, or by your 
spiteful colleague,” says Christina Zaba, a journalist and activist 43 

Q. 28. How is U1D related to NATCRID, CCTNS, NPR and other databases? 

The UID number will be fed into a database to be shared with NATGRID, which includes 11 
security and intelligence agencies (Intelligence Bureau, Research and Analysis Wing, CBI, 
Central Boards of Excise and Direct Taxes, etc). This kind of cross agency interlinking will 
enable them “to detect patterns, trace sources for monies and support, track travellers, and 
identify those who must be watched, investigated, disabled and neutralized”. 

“There are presently various pieces of information available separately, and held in discrete 
‘silos’. "We give information to a range of agencies; as much as is necessary for them to do 
their job.. .The ease with which technology has whittled down the notion of the private has to 
be contained, not expanded. The UID, in contrast, will act as a bridge between these silos of 
information, and it will take the control away from the individual about what information we 
want to share, and with whom,” says Usha Ramanathan. 

Q. 29 . Is there a role for private sector firms in the UID project? 

There’s a good reason why the UID project is getting a unanimous thumbs up from the 
corporate sector. Initial estimates suggest that the project will create 1,00,000 new jobs in the 
country, and business opportunities worth Rs 6,500 crores in the fust phase. 46 

The UID project, built on the PPP model, is a complicated system that depends on complex 
technology. Aside from issuing UID numbers, the UIDAI is expected to act as a regulatory 
authority, manage a Central Identities Data Repository (C1DR), update resident information 
and authenticate the identity of the residents as required. 

UIDAI has awarded four consortia (Accenture, Mahindra Satyam, Morpho and LI-Identity 
Solutions) to implement core biomenic identification systems in support of the Aadhaar 
programme. Essentially these four agencies would design, supply, install, commission, 
maintain and support the biometric identification subsystem. They would also be involved in 
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the development of a software development kit (SDK) for client enrolment stations, the 
verification seiver, manual adjudication and monitoring functions of the U1D application. 

As fai as Accenture is concerned, the terms of its initial contract will urn up to two yeais or 
until 200 million enrolments have been registered (whichever comes first). Along with 
Accenture, the team includes Daon, a leading global provider of biometric technologies, and 
MindTree, a Bangalore-based global IT company that delivers innovative technology 
solutions. L-i Identity Solutions is a large American defense cont 3 actorinConnect 1 cut.lt 
was formed in August 2006 from a merger of Viisage Technology and ldennx Incorporated. 
It specializes in selling face recognition systems, electronic passports such as Fly Clear, and 
other biometric technology to governments such as the United States and Saudi Arabia. It 
also licenses technology to other companies internationally, including China. 

Also, the contracts for purchase of biometric devices have been bagged by Tata Consultancy 
Services (TCS), HCL Info Systems Ltd, Base Systems Pvt Ltd, 4G Identity Solutions Pvt 
Ltd, e-Smart Systems Pvt Ltd. 

Private players are set to reap the benefits. w We considered 2009 as a launch year for the expo 
entirely focused on homeland security and we saw over 130 companies from 15 countries 
participate. Next year we expect larger participation, especially from the US and European 
countries including France and Russia,” Mehul Thakkar, marketing manager of 1NDESEC, 
said. 


Q. 30. More than meets the eye? 

With regard to LI Identity Solutions, it is interesting that former Central Intelligence Agency 
(CIA) and other American defense organisations’ officers are now working in the capacity of 
directors and other positions in the top management of the company. While that is not exactly 
illegal, it has overtones of inappropriateness. George Tenet, former director, CIA, is on the 
board of directors of L1 Identity Solutions, among other similar organizations, and has been 
accused, not without reason, of profiting from the involvement of such companies in the Iraq 
war. 48 Also Saffan, a French company, acquired L-l Identity Solutions following the sale of 
L-l's intelligence services businesses to BAE Systems. After giving effect to the BAE 
Systems transaction, L-l will consist of Secure Credentialing Solutions, Biometric and 
Enterprise Access Solutions and Enrolment Services. 

In the United States, L-l not only manages, the state driver’s license business but is also 
engaged in the production of all passports, provides identification documents for the 
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Department ol Defense and has contiacts wuh nearly every intelligence agency tn the 
government. L~1 was rejecied by US government agencies on grounds ofJow quality of its 
biometric cards. In June 2010, a support contract unit of L-3 Coirununications Corp said it 
was de-listed from providing service to any federal agencies ui the US. The support contiact 
unit was providing aircraft maintenance and logistic support to the US Ail Force. The unit 
allegedly used government computer networks to collect data to promote its own business. In 
September 2010, the company received US$ 24 million for the project from the U1DA1. The 
compauy has already shipped some units of die Agile TP fingerprint slap devices and mobile 
iris cameras. In a Forward Looking Statement the company said it hopes to complete the 
remainder of the shipment by Match 2011 49 

Mark Lemer, who is with the Constitutional Alliance (an American non-profit educational 
organisation) and is also the authoi of the book Your Body is Your ZD, says: “To a large 
extent it is fair to say that your personal information is L-l’s information. L-l is the same 
company that thinks our political party affiliation should be on our driver’s license along with 
our race.” Commenting on L-l’s acquisition by Saffan, he continues: “Just think about how 
happy you can feel now knowing that your personal information including your social 
security number and biometric information (fingerprints, iris scans and digital facial images) 
may soon be available to a French company. The federal government must sign off on the 
deal before the deal can be sealed. All this brings us back to the topic of the revolving door 
that exists between government and coiporations.” 50 

The prospect of such companies having a deep reach into the massive sensitive UID database 
would make any person weary. 

Q. 31. Are there any other business interests in UID we should be concerned about? 

Yes. For instance, there is a vast potential for UID applications in the field of marketing. UID 
seems set to facilitate charting of consumption patterns to an integrated pan India da tab ase 
which “would work towards promoting India as an accessible market place for banking, 
financial and other institutions”. 51 This is possibly going to alter the idea of citizenship 
drastically in the end. 

Addressing the Nielsen Company's “Consumer 360” event in New Delhi on 25 November 
2010, UIDAI Chairman Nandan Nitekani said that over a third of India's 1.1 billion 
“consumers” had been largely overlooked in areas such as banking and social services. 52 


“The (unique identification) number will create a much more open marketplace, where 
hundreds of millions of people who were shut out of services will now be able to access 
them," he told business leaders, adding that the poor find it difficult to reach the market. 

24 
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"Then anonymity' limits agencies from piovidmg them services that are ieinote!y available, 
and that could be accessed tlirough a mobile phone," he said 

There is a definite move m the industry to co-opt the public on the use of sensor technology 
and how it can radicalize everyday life. According to lnfosys’s chief executive officer S. 
Gopalakrishnan, sensor technologies integrated with IT networks, cloud computing, and the 
mobile internet “will drive investment, and change how companies automate business 
processes in the future”. 55 Integrated sensor technologies are attuned to identifying a 
customer entering a store and offer her new products and customized discounts based on her 
prior buying behaviour, he adds 


The use of biometrics in consumer ID applications worldwide are projected to grow at a 
Compound Annual Growth Rate (CAGR) of around 27% between 2010 and 2012. 54 With 
advancements in sensor technology and algorithms, biometrics seem to have become a choice 
for the financial services industry as well. 

ii 


F. Similar Initiatives across the World 



Q. 32. How have other countries approached such projects? 


Debates about systems of national identification have been taking place worldwide fora long 
time, but with a growing intensity in the last few years. Technological progress and the 
current socio-political scenario have led to growing support for complex ID systems from 
governments and particular sections of the population. Below is a brief description of similar 
projects across the world (for country-specific details, see Appendix 2). 


Some of the most prolific examples of National ID programmes and their subsequent 
outcomes can be seen in Australia, UK and the US. Australia witnessed perhaps the fiercest 
opposition to national ID cards, hi 1985, there was a proposal to introduce these cards 

(mostly for curbing tax evasion) but due to severe backlash from activists and citizens, 

2 . 

backed by strong media support, it was withdrawn in 1987. 


The Real ID Act-passed by the US in 2005 has also been opposed by many states on. grounds 
of privacy and threat to data secufity. As a compromise, the Obama administration, in2009.r 
introduced|P4|f||p in; the Congress. The tyss ID Act sets strong security/standards for ' 
identification gards.and driver's licenses. However, it does not collect personal information of 

individuals and store it in a centralized database, accessible by any state authority, as the UID f 

' ' ' ' ■ 

project, does. <■, 
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After many deliberations and public debates, the '“UK National Identity Card Scheme was 
scrapped in 2011 by the Conservative-Lib Dem Coalition. Some of the primary reasons cited 
were the cost of implementing the scheme (£4.5bn) and the infringement of civil 
liberties. Among European nations, many have ID cards, voluntary or mandatory. An 
interesting case is that of Germany Starting in November 2010, German ID cards were 
incorporated with RFID chips containing personally identifiable information including a 
biometric photo and, if desned, two fingerprints. After a group hacked the new national ID 
system, live on TV, Germany's Federal Office for Information Security acknowledged that 
the card's PIN can be cracked using nojan malware, similar to keylogging software 


Some Middle Eastern countries are planning to issue “smart” ID cards, with Oman taking the 
lead. The ID card in Oman stores fingerprints, but information on the card is not given to all 
government agencies nor the private sector. 


In Asia, one countiy worth mentioning is Malaysia, which has made a successful transition to 
a smart card containing personal information including health details and driving licenses. 
Taiwan's attempts to introduce a national ID card with fingerprints met with severe 
opposition due to privacy issues. In China, there was a system of providing ID cards, 
containing veiy basic information, since 1985. In 2003, the card was legally updated for law 
and order purposes and comprised of a chip storing additional information. By 2004, the 
government introduced the ' second generation mandatory ID caids, which had a small 
storage capacity, therefore restricting information to name, gender, ethnicity, residence and 
date of birth - but decided against it as this huge system was found to be very challenging to 
handle and of doubtful reliability. 


Given this context, it becomes glaringly obvious just how pervasive and intmsive the UID 
system is set to be, tar more than any of the systems that have been rejected elsewhere. Some 
people argue that just because countries like the US, UK and Australia were not able to 
implement or simply scrapped similar programmes, doesn’t mean India cannot do it - India 
can be a leader in implementing such an ambitious programme. But then again, isn’t it 
sensible for a "global" nation like India to leam from the experiences of other countries - the 
very same ones a section of the population believes India aspires to be like? 


END NOTE 


It is important to understand that implementing a national ID system of this magnitude is 
poised to alter the way we live as well as the relationship between the citizen and the state. 
As Graham Greenleaf, an Australian data protection expert and one of the pioneers of the 
anti-ID card movement, puts it: “Is it realistic to believe that the production of-identity cards 
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by children to adults in authonly to piove then age will be ‘purely voluntary’? The next 
generation of children may be accustomed to always carrying their Cards, to get a bus or 
movie concession, or to prove they are old enough ro drink, so that in adult life they will 
regard production of an ID card as a routine aspect of most uansactions ” 

The UID project has the potential of being a financially exorbitant and socially invasive 
debacle, given that it is the largest national ID card project in the world, in scale and scope. 
Instead of the government becoming more accountable to its citizens, this system lays the 
burden on the governed. Of course, if the project succeeds, it may have useful applications 
too. But does this justify the kind of intrusion that UID is set to create into people's lives? 
Perhaps what would help is a meaningful dialogue with various sections of society, with 
ample space to debate the implications of such a project and even reconsider it. 
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Appendix 1 

Valid Identification Documents 

A range of identification cards/documents were m use before the U1D came into the scene. 
They are listed below, along with the information they contain* 

Documents Containing Name and Photo 

1. Passport 

2. PAN Card 

3. Ration/ PDS Photo Card 

4. Voter ID 

5. Driving License 

6. Government Photo ID Cards 

7. NREGS Job Card 

8. Photo ID issued by Recognized Educational Institution 
9* Arms License 

10. Photo Bank ATM Card 

11. Photo Credit Card 

12. Pensioner Photo Card 

13. Freedom Fighter Photo Card 

14. Kissan Photo Passbook 

15. CGHS / ECHS Photo Card 

16. Address Card having Name and Photo issued by Department of Posts 

17. Certificate of Identify having photo issued by Group A Gazetted Officer ou Letterhead 

Documents Containing Name and Address 

1. Passport 

2. Bank Statement/ Passbook 

3. Post Office Account Statement/Passbook 

4. Ration Card 

5. Voter ID 

6. Driving License 

7. Government Photo ID cards 

8. Electricity Bill (not older than 3 months) 

9. Water bill (not older than 3 months) 

10. Telephone Landline Bill (not older than 3 months) 

11. Property Tax Receipt (not older than 3 months) 

12. Credit Card Statement (not older than 3 months) 

13. Insurance Policy 

14. Signed Letter having Photo from Bank on letterhead 

15. Signed Letter having Photo issued by registered Company on letterhead 

16. Signed Letter having Photo issued by Recognized Educational Instruction on letterhead 

17. NREGS Job Card 

18. Arms License 

19. Pensioner Card 

20. Freedom Fighter Card 

21. Kissan Passbook 

22. CGHS ) ECHS Card 







23 Certificate of Address having photo issued by MP or MLA 01 Gioup a Gazetted Offlcei 
on letterhead 

24. Certificate of Address issued by Village Panchayat head 01 its equivalent authority (for 
rural areas) 

25 Income Tax Assessment Order 

26. Vehicle Registration Certificate 

27. Registered Sale / Lease / Rent Agreement 

28. Address Card having Photo issued by Department of Posts 

29. Caste and Domicile Certificate having Photo issued by State Govt. 

Proof of Date of Birth Documents 

1. Birth Certificate 

2. SSLC Book/Certiticate 

3. Passport 

4. Certificate of Date of Birth issued by Group A Gazetted Officer on letterhead 








Appendix 2 

ID Systems and Debates across the World 



Improvements m technology have radically alteied the pace at winch systems of 
identification have developed all ove. the woild Talcing lessons fiom the experiences of 
other nations who ve taken similar paths, 01 not, would sei ve well before the mammoth task 
of implementing UID amongst a population of over a billion, is undertaken 




European Countries 


Most European Union members have voluntary and compulsory ID cards 

except Denmark, Latvia and Lithuania. In Sweden, information is stored on a chip in the card 
ana not m any central database. 1 


France 


The national identity card (Carte Nationale D'identite Secunsee or CNIS) of France is an 

official non-compulsory identity document consisting of a plastic card bearing a photograph 
name and address p SF * 


in paper file and are only accessible to judges in 
extreme circumstances. The information on the card is duplicated in a central database but 

access is limited by strict laws and is not linked to any other records. The card is often used to 
verify nationality and for travelling within the EU. Following a study launched in 2001 Ihe 
government planned to introduce a new card the INES (carte d'identite nationale electronique 
secunsee) also known as “secure electronic national identity card", that would contain 
biometnc fingerprints and photograph data on a chip which would be recorded on a central 
tabase. A group of French bodies initiated a report and petition against the plans. Although 

draft legislation was published in 2005, the government has yet to set a date for a discussion 
of the proposals in the Parliament. Sy 


Germany 


In Germany, it is compulsory for all citizens, 16 years or above, to possess either a 
Peisonalausweis (identity card) or a passport, but it’s not necessary to cany one. While 
authorities have a right to demand to see one of those documents, the law does not state that it 
is necessary for one to submit the document at that very moment. But most Germans carry 
their Personalausweis with them as driver's licences are not legally accepted forms of 
identification m Germany. 56 

Beginning in November 2010, German ID cards contain RFID chips with personally 
identifiable information including a biometric Photo and, if desired, two fmgeiprints. The 
German government's new national ID card was publicly hacked on TV by members of the 
infamous Chaos Computer Club. Members of the Chaos Computer Club demonstrated how 
easy the cards were to crack live on the WDR TV channel. The hackers cracked the PIN 
system on the cards, which then allowed them to impersonate the cardholder online. 

Germany’s Federal Office for Information Security acknowledged that the card's PrN can be 
cracked using trojan malware, similar to keylogging software. 57 
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UnitedJKjngdom 


The government's attempts to impose compulsory ID cards sparked off fury early this year. 
The Home Affairs committee shot down the idea as its benefits outweighed the increased data 
protection risks. In July 2002, David Blunkett, Former Laboui Home Secretary had initiated 
plans for an identity card scheme. By February 2010, the government scrapped the plan as the 
scheme's overall cost massively inflated to an estimated £4 5bn These cards were intended to 
hold biometric data such as name, fingerprints and a photograph oil an encrypted chip. Apart 
from this, the National Identity Register was designed to hold up to 50 different types of 
personal information. These identity cards were aimed at tackling illegal immigration, fraud 
and identity theft - but eventually were abandoned after they were criticised for infringing 
civil liberties and being too expensive. After the plans were abandoned, personal information 
of 15,000 people who applied for an ID card before the scheme was cancelled, were 
systematically destroyed (not disabled) by the British government. ss 

Bosnia 

The Bosnian government pushed for a national ID in 2002, with the stated intention of 

promoting unity. The technology under usage includes a bar code instead of a chip on the 

card along with a photograph, signature and a single fingerprint. It decided against using a 
smart card chip. 

United States of America 

The Social Security programme number is also used as the national identification number. 
But attempts at introducing biometric national cards have come under fire from rights groups. 

45 organizations representing privacy, consumer, civil liberty and civil rights organizations 
joined together and launched a nation wide campaign to gamer public support to stop 
America’s first national ID system: REAL ID. The Real ID Act of 2005 was the result of 
recommendations of the 9/11 Commission and was passed as part of anti-terrorism effort. 
This act would've allowed all driver’s licenses to be linked, leading to a person’s records to 
be accessible by officials in other states and federal agencies. Although initially it wasn’t 
mandatory for states to issue Real ID Cards, the Department of Homeland Security eventually 

wanted Real ID cards to be required for air travel and for receiving benefits such as Social 
Security. s * 

This card would’ve included identity documents such as a photo ID, documentation of birth 
date and address, proof of citizenship or immigration status and verification of Social 
Security numbers. The states were required to hold digital images of each identity document 
for periods ranging from seven to 10 years. The groups opposing this measure were 
concerned about the increased threat of counterfeiting and identity theft, lack of security to 
protect against unauthorized access to the content, cost burden on the taxpayers, diversion of 
funds meant for homeland security, increased costs for obtaining a license or state issued ID 
card, and because Real ID would create a false image that it is secure and impenetrable. 

Even a couple of the most vocal senators on implementing national ID, Sen. Charles Schumer 
(D-New York) and Sen. Lindsay Graham (R-South Carolina) said that, “We would require 
allU.S. citizens and legal immigrants who want jobs to obtain a high-tech, fraud-proof Social 




Security card Each card’s unique biometne uienttfiei would be stoied only on the card 
government database would house everyone's information ** 6U 


no 


Despite this many civil society activists and citizens voiced the., intense disapproval lor such 
a measure Jin, Harper, Directoi ot Information Policy Studies at the Cato Institute believed 
that the plan would undoubtedly lead to a national database He added that “there is no 
practical way of making a national identity document fraud-proof** 

By October 2009, 25 states approved resolutions not to participate in the programme. The 
resolution passed in Utah stated that Real ID is "in opposition to the Jeffersonian principles of 

“■*?**■ marketS ’ and l ' mi,ed 8 ove niment." It further states that "the use of 
identification-based secunty cannot be justified as part of a 'layered' security system if the 

costs of the identification ’layer'--in dollars, lost privacy, and lost liberty-are greater than the 
secunty identification provides". 
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As a compromise, the Obama administration introduced Pass ID in the Congress The Pass ID 

On thfnthf h Se ? nty / andards for issuance of identification cards and drier's licenses 
On the other hand, it does not collect personal information of individuals and store it in a 
centralized database, accessible by any state authority . 61 


Canada 


t I he h rln fl ?° r r iVCd deliberati0n over ad °P tin 8 na ‘io«*l ID cards. But after an interim report 
the Canadian Government is moving to implement biometric passports. Although the national 

L D P r^r r ~ a,iy Marc " ^ Aprii *** £2 


Pakistan 


Since the 1960s, Pakistan has been issuing National Identity Card (NIC) numbers to its 
«taan.Established in the year 2000, the National Database and Reg,station Authority 

Pakistan s state-owned IT services company that specializes in implementing 
multi-biometnc national identity cards and e-passports, as well as secure access verification 
and conftol systems in both public and private sectors. In fact, what is not widelysome reports 
ngmating from the Planning Commission raised questions about UIDAI ignoring not just 
privacy concerns, but also the sample test results. So far, data results from just 20,000 people 
has been the basis for over 1.2 billion U1D number; known is that Pakistan is amonStThe 
first few countries in the world to attempt to issue national ID biometric cards and e-passports 

In S toS ° Ver 7 ' » is citizens since 

NattoS fflr ,f brUaiy 200bl the Au,,10nt y had issued i‘s 50 millionth Computerized 
Nationa 1 Identity Card. However, the picture ain’t as rosy as it seems. The NADRA is dogged 

with allegations about tricksters having a ball with this programme and getting away with 

creating fake ID cards m huge numbers. Another sticky issue is that of AfgL reLees 

living m Pakistan and what consequence giving them Pakistani nationality would lead to “ 


Malaysia 


TuT h “ f WayS had ., a nati0nal ID card ’ but in 200 ™oved to replace the existing 
card and driving licenses with a smart card containing a 64k chip called the MyKad or the 
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Malaysian Ccud This clup contains 11 thumbprint nnd othei pcisoricil information, including 
basic health details It is presently a world leadet on identity systems 

Japan 

The government s national ID plans took the form of Juki Net, a Basic Resident Registration 
Network in 1999(it was a voluntary card with a unique 11 digit number) that had a 
tumultuous start, and was faced with a lot of piotests over security issues and had to deal with 
quite a few court cases filed on the basis of unconstitutionally. However in 2008, the ID 
system got the go ahead after its constitutionality was established by the Supreme Court 

Taiwan 




' •>. -* 





Taiwan had been trying to implement biometric identification system lor quite some time. 
But a move to incorporate fingerprints in the card was met with fierce opposition. Aside from 
privacy implications, fingerprinting was deemed indecisive in solving criminal cases. The 
Vice President of the time, Annette Lu, felt that the fingerprint condition in the ID was 
unconstitutional and would undermine the nation’s democratic credentials by stating that, 
“The government’s collection and storage of fingerprint records constitutes a collection of 
individual data and involves the questions of guarantees of the individual right of privacy and 
information autonomy.” 

People’s Republic of China 

The Chinese government had implemented a system of providurg ID cards, containing very 
basic information to every citizen since 1985. In 2003, the card was legally updated to verify 
citizens’ identity and law and order purposes and comprised of a chip that stores additional 
informatioa By 2004, the government introduced the “second generation” ma n d a tor y ID 
cards, involving contact less chips containing a small storage capacity (41c- therefore, 
restricting information to name, gender, ethnicity, residence and date of birth). 

They deliberated on incorporating fingeiprints but decided against it as Uiey found the system 
to be very challenging to handle and had reservations about its reliability. Seemingly, 
biometrics overwhelm a system of this nature. “Such an effort to introduce biometrics, the 

huge quantity (of cardholders), is not feasible,” said an official from the Chinese National 
Registration Centre. 


Early this year, China began issuing smart cards to its citizens. The cards can also help 
identify those who use ATMs, enter a building with an electronic guard system or even pick 
up their children from kindergarten. 

Australia 


After the Second World war ended, the national cards were withdrawn. The issue of national 
ID cards was raised 30 years later and after a few government inquiry reports, dropped the 
idea. It resurfaced in 1985, when the government proposed Australian cards, mostly to curb 
tax evasion. Australia probably witnessed the most forceful protests and campaigns against a 
national ID proposal. Following a vigorous opposition campaign, the proposal was 

withdrawn in 1987. Though Australia is including biometrics in passports, it is limited to a 
digital photograph. 
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West Asia 

According to reports, Oman, UAE. Saudi Arabia and Israel are drawing up plans of issuing 
‘smart” ID cards, with Oman faking the lead and the card it issues will store fingerprints. The 
purpose behind issuing these cards in the country is primarily immigration management. 
Even though the Oman government is planning multiple applications on the card, however, 

information on the card cannot be disseminated to all government agencies nor to the private 
sector. 
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(http://www.govtech.com/security/99354049 htm! ) 


und__kiek:ijigjeport_says), and 


62 The Dawn, ‘Pakistan Has World’s Largest Biometric Citizen Database” P' November, 2009 

(lmp://www.nadra.gov.pk/index php?opiion=con^coiitent&vie\v=amcle&id-142.pakistan-has-worids-lariiest 
moinetric-citi2en-database&catid=IO:news-a-iipdates&ftenud=20) Also see 
http.//www.riazhaq.com /201 l/OS/pakistan-leads-asia-in-biometric-it litml 

63 Ghumman, Khawar, ”PAC to take up issue of fictitious ID cards today”. The Dawn, 19 lh March 2011 

(http://www.dawii.com /201 1/03/19/pac-to-tnkeHip-issue-of-fictitious-id-caids-toclay html). 

Also check: 


http://www.dawn.com/2011/03/20/a fghan-refugees-a-probleni-for-nadra.htm I 
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Background to the UID 
(ACCESSED from the UID Website: 

http://uidai.gov.in/index.php?option=com content&view=article&id=141&I 
temid=l64#backeround) 


Unique identification project was initially conceived by the Planning 
Commission as an initiative that would provide identification for each 
resident across the country and would be used primarily as the basis for 
efficient delivery of welfare services. It would also act as a tool for effective 
monitoring ot various programs and schemes of the Government. 

a) The concept ol a unique identification was first discussed and worked 
upon since 2006 when administrative approval for the project -"Unique ID 
for Below Poverty Line (BPL) families" was given on 03 March 2006 by the 
Department of Information Technology, Ministry of Communications and 
Information Technology. This project was to be implemented by the 
National Informatics Centre (NIC) over a period of 12 months. 
Subsequently, a Processes Committee to suggest processes for updation, 
modification, addition and deletion of data fields from the core database to 
be created under the Unique ID for below BPL project was set up on 03 July 
2006. This was set up under the chairmanship of Dr. Arvind Virmani, 
Principal Adviser, Planning Commission. 



b) A "Strategic Vision on the UIDAI Project" was prepared and submitted to 
this Committee by M/S Wipro Ltd (Consultant for the design phase and 
program management phase of the Pilot UIDAI project). It envisaged the 
close linkage that the UIDAI would have to the electoral database. The 
Committee also appreciated the need of a UIDAI Authority to be created by 
an executive order under the aegis of the Planning Commission to ensure a 
pan-departmental and neutral identity for the authority and at the same time 
enable a focused approach to attaining the goals set for the XI Plan. The 
Seventh Meeting of the Process Committee on 30 August 2007 decided to 
furnish to the Planning commission a detailed proposal based on the 
resource model for seeking its "in principle" approval. 

c) At the same time, the Registrar General of India was engaged in the 
creation of the National Population Register and issuance of Multi-purpose 
National Identity Cards to citizens of India. 

d) Therefore, it was decided, with the approval of the Prime Minister, to 

constitute an empowered group of Ministers (EGoM) to collate the two 
schemes - the National Population Register under the Citizenship Act, 1955 
and the Unique Identification Number project of the Department of 
Information Technology. The EGoM was also empowered to look into the 
methodology and specific milestones for early and effective completion of 
the Project and take a final view on these. The EGoM was constituted on 04 
December 2006. 

• The first meeting of the EGoM was held on 27 November 2007. It 
recognised the need for creating an identity related resident database, 


regardless of whether the database is created based on a de-novo collection 
of individual data or is based on already existing data such as the voter list, 
there is a crucial and imperative need to identify and establish an 
institutional mechanism that will "own" the database and will be responsible 
for its maintenance and updating on an ongoing basis post its creation. 

♦ The second meeting of the EGoM was held on 28 January 2008. It decided 
on the strategy for the collation of NPR and UIDAI. Inter-alia, the proposal 

to establish UIDAI Authority under the Planning Commission was 
approved. 


• The third meeting of the EGoM was held on 07 August 2008. The Planning 
Commission had placed before the EGoM a detailed proposal for setting up 
UIDAI. The meeting decided that certain issues raised by the members with 
ielation to the UIDAI (Annexure to the EGoM meeting proceedings) would 
need to be examined by an official level committee. It referred the matter to 
a Committee of Secretaries to examine and give its recommendations to the 


EGoM 


to 


facilitate 


a 


final 


decision. 


Subsequent to the Committee of Secretaries recommendations, the fourth 
meeting of the EGoM was held on 04 November 2008. The 
lecommendations of the Committee of Secretaries were presented to the 


EGoM 


and 


the following decisions were 


taken. 


a) Initially the UIDAI may be notified as an executive authority and 


investing it with statutory authority could be taken up for consideration later 


at 


an 


appropriate 


time. 


b) UIDAI may limit its activities to creation of die initial database from the 
electoral roll/EPIC data. UIDAI may however additionally issue instructions 


to agencies that undertake creation of databases to ensure standardization of 

l 


data 


elements. 


c) UIDAI will take its own decision as to how to build the database. 


d) UIDAI would be anchored in the Planning Commission for five years 
after which a view would be taken as to where the UIDAI would be located 


within 


Government. 


e) Constitution of the UIDAI with a core team of 10 personnel at the central 
level and directed the Planning Commission to separately place a detailed 
proposal with the complete structure, rest of staff and organizational 
structure of UIDAI before the Cabinet Secretary for his consideration prior 
to seeking approval under normal procedure through the DoE/CCEA. 

f) Approval to the constitution of the State UIDAI Authorities 

* 

simultaneously with the Central UIDAI with a core team of 3 personnel. 

g) December 2009 was given as the target date for UIDAI to be made 
available foi usage by an initial set of authorized users. 

h) Prioi to seeking approval for the complete organizational structure and 
full component of staff through DoE and CCEA as per existing procedure, 
the Cabinet Secretary should convene a meeting to finalize the detailed 



1 T 


fganizational structure, staff and other 


requirements. 


d 




|.l: Subsequently, on 22 January 2009 the Cabinet Secretary in pursuance of 

. ; 

ie decisions of the Empowered Group of Ministers considered the proposal 
lbmitted by the Department of Information Technology regarding the 


governance 


structure 


and 


recommended 


that 




3 


* 

|aj) The notification for constitution of the UIDAI should be issued 


Yt 

kl 


immediately. 




|b) A High Level Advisory, Monitoring and Review Committee headed by 


m t 


Deputy Chairman, Planning Commission to be constituted to oversee the 

| i 

i f 

work 


of 


the 


S'- 


Jir, | 

It 1 

€! 


authority. 


' c) A Member, Planning Commission or the Secretary, Planning Commission 

£ ! 

* 

[. ®fy also be assigned the task of looking after the work proposed for the 


Chief 




UIDAI 


Commissioner 


a 


1 >< ’ 




d) 


Core 


Team 


to 


be 


put 


in 


place. 


1 

*■ * 


a. 



1-2: In pursuance of the Empowered group of Ministers' fourth meeting 
§J dated 04 November 2008, the Unique Identification Authority of India was 
1 constituted and notified by the Planning Commission on 28 January 2009 as 
an attached office under the aegis of Planning Commission with an initial 
core team of 115 officials. The role and responsibilities of the UIDAI was 
k Hid down in this notification. The UIDAI was given the responsibility to lay 
t down plan and policies to implement UIDAI scheme and shall own and 



operate the UIDAI database and be responsible for its updation and 
maintenance on an ongoing basis. 

Top 

Prime Minister's Council 

> 

Prime Ministei s Council on UIDAI Authority - Subsequently, on 02 July 
2009, the Government appointed Shri. Nandan M. Nilekani as Chairman of 
the Unique Identification Authority of India, in the rank and status of a 
Cabinet Minister for an initial tenure of five years. Mr. Nilekani has joined 
the UIDAI as its Chairman on 23 July 2009. The Prime Minister's Council of 
UIDAI Authority of India was set up on 30 July 2009. The Council is to 
advise the UIDAI on Programme, methodology and implementation to 
ensure co-ordination between Ministries/Departments, stakeholders and 
partners. The Council would meet once every quarter. The First Meeting of 

the Prime Minister's Council of UIDAI Authority took place on 12 August 
2009. 

The salient decisions in the PMs council were as follows : 

Need for legislative framework 

Broad Endorsement of the Strategy 

Budgetary Support to partners 

Setting Biometric and Demographic Standards 

UIDAI Structure Contours Approved 

Flexibility in Personnel and other issues 

Choose, Deploy and Repatriate Officers 

Government Accommodation Eligibility 

Broad-banding of posts 

Hiring of professionals from Market 


Setting up ot Global Advisory Councils of PI Os 

interns and Sabbatical Global Procurement 
Top 


Cabinet Committee 

The Government of India issued orders constituting the Cabinet Committee 
on UIDAI Authority on 22 October 2009. It is headed by the Honourable 
Prime Minister and consists of the Minister of Finance, Minister of 
Agriculture, Minister of Consumer Affairs, Food and Public Distribution, 
Minister of Home Affairs, Minister of External Affairs, Minister of Law and 
Justice, Minister of Communications and Information Technology, Minister 
of Labour and Employment, Minister of Human Resource Development, 
Minister of Rural Development and Panchayati Raj, Minister of Housing and 
Urban Poverty Alleviation and Minister of Tourism. The Deputy Chairman 
Planning Commission and Chairman UIDAI are special invitees. The 
functions of the Committee, which is headed by the Honourable PM would 

as under 



All issues relating to the Unique identification Authority of India including 
its organisation, plans, policies, programmes, schemes, funding and 
methodology to be adopted for achieving the objectives of that Authority. 
Mandates and Objectives 

The Unique Identification Authority of India (UIDAI) has been created as an 
attached office under the Planning Commission. Its role is to develop and 
implement the necessary institutional, technical and legal infrastructure to 
issue unique identity numbers to Indian residents. 


U? 


On 25 June 2009, the Cabinet also created and approved the position of the 



Chairperson oi the UIDAI, and appointed Mr. Nandan Nilekani as the first 
Chairperson in the rank and status of a Cabinet Minister. Mr. Ram Sewak 
Sharma has been appointed the Director General. 

Mission and Timeline 

Top 

The Mission 

The role that the Authority envisions is to issue a unique identification 
number (UIDAI) that can be verified and authenticated in an online, cost- 

effective manner, which is robust enough to eliminate duplicate and fake 
identities. 

The Timelines 

The first UIDAI numbers will be issued over the next 12-18 months counted 
from August 2009, The first number would be issued between August 2010 
to February 2011. Over five years, the Authority plans to issue 600 million 

UIDs. The numbers will be issued through various ’registrar' agencies across 
the country. 

Top 

Organization Details 

UIDAI was set up as an attached office of the Planning Commission through 
Notification dated 28.01.09 with a core team of 115 officers and staff. Under 
the Notification, 3 Posts (DG, DDG and ADG) were sanctioned for 
Headquarter with 35 UID commissioners in each of the States. It was 
thereafter decided to have Regional Offices in Bangalore, Chandigarh, 
Delhi, Hyderabad, Guwahati, Lucknow, Mumbai and Ranchi with their 
jurisdiction covering specific states across the country.A Technology Centre 
has been set up in Bangalore. 268 additional posts were created in 
September 2009. UIDAI at present has a total sanctioned strength of 383 



officers 


and 


subordinate 


staff. 


Headquarter’s Organisation: The U1DAI is headquartered in Delhi with 
Shri Nandan Nilekani as the Chairman and Shri R.S. Sharma as the Director 
General and Mission Director. In the organizational design, the DG is to be 
assisted by seven Deputy Director Generals, officers of the level of Joint 
Secretary, who are in charge of various Wings. One of the DDGs heads the 
Finance Wing. The DDGs would be supported by 21 ADGs, 15 Deputy 
Directors, 15 Section Officers and 15 Assistants. The HQ has a total 
sanctioned strength of 146 number of officers and staff including the 
Accounts and IT branch. All the officers and staff have been appointed on 
deputation either under Central Staffing Scheme or through bilateral route. 
Of the sanctioned strength, 85 are in position at present. Appointments for 
the remaining vacancies are in process. 
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Annexur©^ 


(TO BE PUBLISHED IN PART-1, SECTION-2 OF THE GAZETTE OF INDIA) 


GOVERNMENT OF INDIA 
PLANNING COMMISSION 


Yojana Bhawan.Sanead Marg* 
New Delhi; January.2Q09 * 
NOTIFICATION ’ r .. 

No. A«430H/02/2Q03-Admn.L In pursuance of Empowered Group of Ministers’ 
fourth meeting, dated November 2006, the Unique Identification Authority of 
India (UIDAi) is hereby constituted end notified as an attached office* under aegis of 
Planning Commission with following terms of reference and initial core staff 
composition^ 



/ 


( 


COMPOSITION: 

1 

2 UIDAf shall be set up with an initial core team of 115 officials and staff as per 


details gtven below* 


Poet | Level 

No. of Posts 

UID Authority of India 


Director General & Mission 

Director 

Additional Secretary Govt, of 
India 

1 

Deputy Director General (DOG) 

Joint Secretary. Govt, ofindia 

1 

Assistant Director General (ADG) 

Director, Govt, of India 

1 

Support Staff 


PS 

PS 

3 

Peon 

Poon 

2 

Driver 

Driver 

2 

Total Manpower. 

10 

Slate /UT Units of UIDAI 

.- . - —, - 


State / UT UID Commissioner 

Joint Secretary. Govt, of India 

35 

Support Staff 


PS 

PS 

35 

Peon 

Peon 

35 

Total Manpower 

105 

Grand Total 

116 
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Annexure 1 


Role and Reg ponsiblll_tlq$ of Ul O Ai 

3 UIDAI shall have the responsibility to lay down plan and polidos to implement 
UID Scheme, shall own and operate U1D database and be responsible for its 
updation and maintenance on an ongoing basis 

4 implementation of UJD scheme will entail, inter alia, following responsibilities 
being undertaken by UID A! 

w Generate and assign UlO tu residents 

* Define mechanisms, and processes for interlinking UID with partner 
databases on a continuous basis 

Frame policies and administrative procedures related to updation 
mechanism and maintenance of UID database on an ongoing basis 
v Co-ordinate / liaise with implementation partners and user agendas ns also 
define conflict resolution mechanism 

* Define usage and applicability of UID for delivery of various services 

* Operate and manage ail stages of UID lifecycle 

- Adopt phased approach for Implementation of UID specially with reference 
to approved timelines 

* lake necessary steps to ensure collation of NFR with UID (as per 
approved strategy) 

* Ensure ways tor leveraging field level institutions appropnately such as 
PRJs in establishing linkages across partner agencies as well as it* 
validation while cross linking with other designated agencies 

* Evolve strategy for awareness and communication of UID and its usage 

* Identify new paiiner /user agencies 

* Issue necessary instructions to agencies that undertake creation of 
databases, to ensure standardization of data elements that are collected 
and digitized and enable collation and cor relation with UID and its partner 
databases 

Frame policies and administrative procedures related to hiring / retention / 
mobilization of resources, outsourcing of various tasks and budgeting & 
planning for UIDAI and all State units under UIDAI. 

b PUnnm< J Commission shall be the nodal agency for UIDA) for providing logistics, 

pfarming and budgetary support Planning commission would provide initial office 
and IT Infrastiucture at central level 
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Annexure 1 


G Government housing will De provided to officers of UIDAJ appointed on 
deputation from general poot of Department of Urban Development. 



• iic uBii«rai Ao^natjc- 

Govt of India Pi ess 


Paridabad. 


'Opy lo 


3 

4 
*5 

c 

*“T 

/ 

0 

£1 

10 

11 . 

12 

13 


Secretary to the President, Rashtrapali Bhavan. New Deilti 

Secretary to the Vice-President, Maulana Azad Road. New Delhi 

Cabinet Secretary, Rashtrapati Bhavan, New Delhi 

tojhe Prime Minister, South Block, New Delhi 

AJ?M/r?ic1nr C ^l ry h the ? c ^ uly Chalmtan * Panning Commission 
All Minis ters/Departments of Govt of India 

CNef Secretaries of all States/Union Territories 

Secretary General, Rajya Sabha Secretariat. New Delhi 

oecretary General, Lok Sabha Secretariat, New Delhi 

Pf /Vfviser (Admn& PC)/AS & FA/Adviser {C & I (/Director <GA)/DS (Admn.) 

ay & Accounts Officer, Planning Commission 
Drawing & Disbursing Officer, Planning Commission 
Accounts -I Section, Planning Commission. 
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I-12013/08/RTI/2010-CP10 / >t ) 4 
Government or India 
Planning commission 
Unique identification of India 

Jeevan Bharati Building 
Third Floor, Tower -II 
Connaught Circus, New Delhi-110 001 

Date: 2**' July 2010 


Subject: Information under Right to Information Act 2005. 

Sir, 


Please refci to your letter dated 27 lh May 2010 received in this office on 3 rd June 
2010 seeking information under Right to Information Act 2005 on constitution 
and appointment of pci sonnel in UIDA1. 

The decision for appointment of Chairman UIDAl was conveyed by the Cabinet 
Secretariat In this connection a copy of Press Release from PIB is enclosed. 


If you are not satisfied with the reply ol C1MO, UIDAl, you may appeal to Appellate 
Authority, UIDAl within 30 clays from the receipt of this letter. The address and 
contact number of the Appellate Authority are given below: 


Mrs K. Gangci 

DDG & Appellate Authority 
Unique Identification Authoi ity of India (IJIDAf) 

Third Floor, Tower -II 
Jeevan Bharati Building 
Connaught Circus, New Delhi- 110 001 
Tel Phone No 2375 26'/2 


u.m* 

To :W- • 

j. 

Tnshna Sena paly 

035, IFS CGHS, Mayor Vihar, 

Phase -l, New Delhi-110091 


» 


^ i 


rj 



[JAYA DUBEY) 
ADG & CPIO 
Ph No 23752764 


■ 1 . 




OF INDIA) 


GOVERNMENT OF INDIA 
PLANNING COMMISSION 



NOTIFICATION 


Yojana Bhavan, Sansad Marg, 
New Oeihi^julv^OOB. / 


A d301 i;02/3onq° Ad 7 ° ln continuatl °" of Notification number 

A- d301i/02/2009-Admn.l dated 28.3 2009 regarding creation of Unique 

Identification Authority of India (UIDAi) as an Attached Office of the Planning 

ommission, it is notified that the competent authority has approved the 

appointment of Shri Nandan Nilekani, Co-Chairman, INFOSYS as Chairperson, Uniqt^ 

Identification Authority of India, in the rank and status of .* Cabinet Minister 

Shri Nilekani will hold appointment for an initial tenure of five yelW- * 4 

C CT) 

TAr 


mlMalhotra) 


Deputy Secretary to the Govt, of India 


The General Manager, 
Govt of India Press, 
fandabad 




* 
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2 

3 

4 

5 


Copy to - 

1 Shri Nandan Nilekani, CEO, President & MD, Infosys Technologies Ltd. 

Corporate Headquarters, Plot No. 44 & 97 A, Electronics City, Hosur Road 
Bangalore. 

Secretary to the President, Rashtrapati Bhavan, New Delhi. 

Secretary to the Vice-President, Maulana Aiad Road, New Delhi. 

P.M.'s Office (Principal Secretary to PM), South Block, New Delhi. 

P S to Deputy Chairman, Planning Commission 
6. Cabinet Secretariat (Cabinet Secretary), Rashtrapati Bhavan, New Delhi w.r.t 
their note No, 1-1/2009-C5 (A) (pt.) dated 01.07.2009. 

7 Secretary (Personnel), North Block, New Delhi. 

8. Secretary, Planning Commission / Principal Adviser (Admn.), Planning 
Commission. 

X'- Director General, UIDAI / AdviseT^C&l), Pig Commission 
10. All Ministries / Department of Government of India 
u ’ chief Secretaries of all States / Union Territories of India. 

12. Secretary General, Rajya Sabha Secretariat, New Delhi. 

13. Secretary General, Lok Sabha Secretariat, New Delhi. 

14. Message Section, Rashtrapati Bhavan, New Delhi. 

15 Public Section, Ministry of Home Affairs, North Block, New Delhi. 

16 Accounts I Section, Planning Commission. 

17 Drawing and Disbursing Officer, Planning Commission. 

18 Pay & Accounts Office, Planning Commission. 

19 Personal file of Shri Nandan Nilekani. 

20. Circulated in Vojana Bhavan through e-mail 

•■i < 


K. 


•*- 


J 
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<✓ *£ e c 
(Anil Malhotra) 
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protecting fxnue) of anonymization, the name for technique* that protect the 
privacy of individuals m fen ge databases by deleting information like names and 
social security numbers llvese scientist* hoie demonsiiated that they can often 
’Weidentify' ui 'ndii'idiuds tu /dun m rinon;yinf<ud data with 

astonishni“ ease By understanding tlu* icsemch, toe leahze we have made a 
mistake , lo6oved beneath a fundamental inhmiderMttiu/nig, which has assured us 
much Jess privacy than u-e have assumed. This mistake pervades nearly every 
mfoimaam privacy law, regulation , mid debate, yet regulators and legal scholars 
hove (xiid :i scan 1 attention We must respond :o riu n uprising failure of 
anonymization, nmi c/ii* An/de provide* die rad* to tL 
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INTROIXXTIGN 


imagine a database packed with sensitive information about many people. 
Perhaps this database helps a hospital track its patients, a school its stu¬ 
dents, or a bank its customers. Now imagine that the office that maintains 
this database needs to place it in long-term storage or disclose it to a third 
party without coni pi o mi sing die privacy of the people tiacked. To eliminate 
the privaev risk, the office will the data, consistent with contem¬ 

porary, ubiquitous daca-handhng practices 

Pint, it will delete peisonal identifiers hke name.', and social security 
numbers. Second, tr will modify ocher categories of information that act like 
identifiers in die particular context—the hospital will delete the names of 

next of kin, the school will excise student ID numbers, and the bank will 
obscure account numbers. 

What will remain is a Ivsc-of-botlvworlds compromise: Analysts will still 
find tlie data useful, but unscrupulous marketers and malevolent identity 
thieves will find it impossible to identify the people tracked. Anonymization 
will calm regulators and keep critics at hay. Society will Iv able to turn ns col¬ 
lective attention to oilier problems because technology will have solved this one. 
Anonymization ensures privacy. 

Unfortunately, this rosy conclusion vastly overstates the power of ano¬ 
nymization. Clever < id versa ties can ofren veidentify or decinoirviTu*? the people 
hidden in an anonymized database. Tills Article is the first ro comprehensively 
incorporate an important new subspecialty of computer science, rcidcntificacion 
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.science, into legal scholarship . 1 2 3 This research unearths a tension that shakes 
a foundational belief about data privacy: Delta can be either useful or perfectly 
anonymous but never both . 

Reidentification science disrupts the privacy policy landscape by undermine 
ing the faith wr have placed in anonymization. This is no mall faith, for 
technologists rely on it to justify sharing data indiscriminately a u! storing daia 
perpetually, while promising users (and die world) that they aie protecting 
privacy. Advances in leiclemif tear ion expose dicse promises as to) often iliusoty. 

These advances should triggei a sen change «n the law occause nearly 
everv information privacy law or regulation grants a gct-out-ohjaiLfree card 
to those who anonym»ze their data. In the United States, federal puvacy statutes 
carve out exceptions for those who anonymhc/ In the Lump an Union, the 
famously privacy-protective Data Protect ion Directive extents a similar safe 
harbor through the way it define* M personal data. f'-t leidentification seb 
ence ex looses the underlying piomisc made by these law.*—that anonymization 
protects privacy—as an empty one, as broken as the technologists promises. 
At the very least, lawmakers must reexamine ev ery privacy law, asking waether 
the power of teidentification and fragility of anonymization have thwarted 
their original designs. 

The powc'of reidentffication also transforms the public pc icy debate over 
information privacy. Today, this debate centers almost entire y on squabbles 
over magical pirates like "peisonally identifiable infonnation" (I 'll) or "personal 
Jan." Advances in rckfcntificauon ex|x)sc how thoroughly th sc pnrascs miss 
the point. Although it is true that a malicious adversary can use PII such as a 
name ot social security number to link data to identity, as i turns out, the 
adversary can do the same dung using information that nohoc y would classify 

as personally identifiable. 


1. A few legal scholars Ivivc considered ihc related ficlJ of statistical tin 
Dougins J. Syivcsici &, Sharon Lofu, The Sccimfy of O m Sccrcis: A History of Pnvn. 
m Uw and SmsucM Practice, 83 DCN v. U. L. RLV. H7 (2005), l>w K las J. Sylvc 
Outnttug ok Gon/i'fcnfw/ity* Legal and .Statistical A/iproachcs Co Fcdcr al Pnuacy 
PATRIOT Act, 20 )5 Wis L Rtv. 1033. In .iJJinon, a few law students have t 
rcidcmiAcntion studies discuv*cJ in thi** Article, but without coitnectuig the<r studi 
nlxuit information nrivacy. Sec, c j?.. I3cnjanun Charkow, Note, The Comm! Owe 
of Dam. 21 CARDOZO Arts & ENT. L.J. 195 (2003); Christine Porter, Note, f. 
There! Party Data Mining. The Risk of Re-jMcmi/foitwm nf Personal fn/nnnatirm, 5 S 
TECH 3 (2008) (discussing the AOL and Netflix stones) 

2. See infra Part I LB 

3. Counci \ Directive 95/46 on the Protection of Indi\ <duah with Regan 
Personal Data and on the Free Movement of Such Data, 1995 O J (L2FU 31 I 
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How many ocher people m the United Sraces share your specific 
crimination of ZIP code, brch date (including year), and sex? According ro a 
landmark study, (or 87 percent of the American population, the answer is zero; 
che.se three pieces of information uniquely identify each of them. 4 5 How 
maov user* of the Netflix movie rental seivice can be uniquely identified by 
when and how they nired any three of the movies they have rented? 
According to anothei important study, a person with thn knowledge can iden¬ 
tify mote than 80 percent of Netflix usei*. Prioi co these studies, nobody 
would have classified ZIP code, buth date, sex, or movie racing* a* PJI. As a 
result, even after these studies, companies have disclosed this kind of infor¬ 
mation connected to sensitive data in supposedly anonymized databases, with 
absolute impunity. 

These studies and others like them sound chc death knell for the idea that 
wc pioccct privacy wlien we r emove PI I fv om our data bares This ; dca, which 
ha* been the central focus of information privacy law for almost forty years, 
must now yield to something else. But to what? 

In search of privacy law’s new organizing principle, we can derive fiom 
re identification science two conclusions of gie;u unpoita nee: 

First, die power of re identification will create and amplify* privacy harms. 
Reidentificauon combines chcasecs that were meant to Ik kept apart, and in 
doing so, gains power through accretion: Every successful re identification, 
even one that reveals seemingly non*ensitive data like movie ratings, abers 
future reidenuucation. Accretive reidentification makes all of our secrets funda¬ 
mentally easiet to discover and reveal. Our enemies will find it easier to connect 
us co facts that they can use to blackmail, harass, defame, frame, or discriminate 
against us. Powerful rcidentification will draw every one of us closer to what I 
call our personal “databases of ruin.’’ 6 

Second, regulators can protect privacy in the face or easy rcidentifica- 
riou only at gieat cost. Because the utiliry and privacy of data are intrinsically 
connected, no regulation can uKrea.se data privacy without also decreasing data 


4. Lir.inya Sweeney, {huqitciww of Simple.’ Deino^nip/ucs m die U -S Pofudmion (Laboratory for 
fod O.K.i Pnvac\, Working Paper LlDAPAVP-f, 2DC0) poi more on this study, sec m/m Pm 1.13.1 .h. 
More recently, PhilippeOolle rev is t tea Dr. Sweeneys study, and recalculated the statistics based on 
year 2000census data Or. Colic could not replicate the earlici 87 percent statistic, but he did calculate 
that til percent of else population m PlQO and 63 pciccnt in 2000 were uniquely identified by ZIP, birth 
cIkc, and sex. Philippe Colic, get‘i\inni» die UmrjMcness oj Simple Demunji.ip/ucs in t/ie US Popubnon, 5 

ACM Workshop on Privacy in ti m Elc-c. Soc‘y77,78 (2006). 

5. Atviikl Narayanan & Vitaly ShiuatiUiv, Robust De-Annin'm/^unm oj Ln^e Sfurse Dn losers, 
in PrOC OT lift 2008 IEEE SYMP ON SECURITY aNO PRIVACY 111, 121 [herein.! fret Netfliv Pi he 
Study] For mote on thus study, see in/ni Parr l.ft I c. 

6. See inpcf Part 111.A. 
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utility. No useful database can ever be perfectly anonymous, .u>d as the utility 

of data increases, the privaev decreases. 

Thus, easy, cheap, powerful re identification will cause significant harm 
that is difficult to avoid. Faced with these daunting new chal lenges, regular 
tors must find new ways to measute the tisk to privacy in dirt irent contexts. 
The/ can no longoi model privacy risks «.s a wholly scientific mathematical 
exercise, but instead must embrace new models that take nessicr human 
factors like motive and tnsi into account. Sometimes, the y may need to 
resign themselves to a world with less privacy than they would like. But more 
ohen, regulators should prevent privacy hauu by squeezing and reducing the 
flow of information in society, even though in doing so th< y may need to 
sacrifice, at least a little, important counter values like innovat on, free speech, 

and sccui ity. 

The Article proceeds in four Parts. Part I describes the dominant role 
anonymization plays in contemporary data privacy practices usd debates. It 
surveys the recent, startling advances in reidentihcation icicnce, telling 
stories of how sophisticated data handlers—America Online, toe state of 
Massachusetts, and Netflix—suffered spectacular, suipris.ng, and embarrassing 
failures of anonymization It then looks closely at the science of rcidcntification, ^ 
iorrowing hca/ilv from a computer science literature hcictoforc untapped by 
legal scholars. Part II reveals how these powerful advances in rcidcntification 
thwart the anus of nearly every privacy law and regulation, f art 111 considers 
three simple and appealing res|xrnses to the^e unbalances but ultimately 
rejects them as insufficient and incomplete Finally. Part IV offc s a way forward, 
proposing a rest for deciding when to impose new piivacy restrictions on 
information flow and demonstrating the test with examples from health and 
internet privacy. 


1. Anonymization and Reipentificaton 


A. The Past. Robust Anonymization 

Something important has changed. For decades, technologists have 
believed that they could robustly protect people’s privacy by making small 
changes to their data, using techniques surveyed below'. I Cell this the robust 
anouyniitftrioii assumption. Embracing this assumption, regt la tors and tcclv 
nologists have promised privacy to use is, and in turn, privacy is what users 

have come to expect. Today, anonymization is ubiquitous. 

But in the past fifteen years, computer scientists have c tablishcci what l 
call the easy rcidcntification result, which proves that the robu t anonymization 
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assumption is deeply flawed—not fundamentally incorrect, but deeply flawed. 
By undermining the robust anonym cat ion assumption, easy re identification 
will topple the edifices* of promise and expectation we have built upon ano¬ 
nymization. T1 ic easy reidencificacion result will also wreak havoc on our legal 
systems because our faith in robust anonym cation, has i boroughly infiltrated 
our privacy luvs and regulations as Pair 11 explores. But before we deploy the 
wrecking bails, tilts Pare reviews the story of how we built these grand structures, 
to explain what we are about to lose. 

]. Ubiquitous Anonym ration 

Anonymization piays a central role in modem data handling, forming 
the core of standard procedures tor storing or disclosing personal information. 
Wlvu is anonymisation, why do people do it. and bow widespread is it 7 8 9 

a. The Anonyaaiacion/Reidennficacion Model 

Let us begin with reimmolog). A person or entity, the data administrat'd, 
possesses information about individuals, known as data subjects. The data 
administrator most often stores tixi information in an elecaonic database, but 

it may also maintain information in other formats, such as traditional paper 
records. 

Data administrators tiy to prorect the privacy of data subjects by ano¬ 
nymizing data. Although I will later aigue against using this term, 7 1 am not 
quite ready to let it go, so for now, anonymization is a pmcess by which infor¬ 
mation in a database is manipulated to make it difficult to identify data subjects. 

Database experts have developed scores of different anonymization 
techniques, which vaiy in their cost, complexity, ease of use, and robustness. 
For starters, consider a very common technique: suppression/ A data admin¬ 
istrator suppresses data by deleting or omitting it entirely. For example, a 
hospital data administrator tracking prescriptions will suppress die ivanu> of 
patients bcfoie sharing data in ordei to anonymize it. 

The revcise of anonymization is reidencificacion oi deanonymization/ 
A person, known in the scientific literature as an adversary/ 0 re identifies 


7. Set' mfm P.vrc HjC 2 

8. Sec Lacan ya Sweeney, Adweving k-Anonviniiy Pin^c\ ProteelK'it GcWmIi *(inoH druf 

SuMxesSian, W JNT’LJ.ON UNCERTAINTY, FUZZINESS &. K:,'OWLKXlt*-a*\SLl)S’tS. 571 . 572 ( 2002 ). 

9. E.g , Nctflix Prize Siudx, siipui note 5, .u 11 !~! 2 
10 M 
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anoaymized datr by linking anonymized records to outside tnfom lation, hoping 
to discover the true identity oi the data subjects. 


b-Thc Reasons to Anonymize 


Data administrators anonymize to protect the privacy ol data subjects 
when storing or disclosing data. They disc lost data to thice grot ps. fuse, they 
release data to thud parties: For example, health researchers share patient 
data with other health researchers, u websites sell transaction data to adver¬ 
tisers, 12 and phone companies can he compelled to disclose cal 1 logs to law 
enforcement officials P Second, administrators some * iir.c release anonymized 
data to the public. 4 Increasingly, administrators do thb t r > engage in what 
is called crowdsourcing—attempting to harness large group, of volunteer 
use is who can analyze data moie efficiently and thorough! / than smaller 
groups of paid employees. 15 Third, administrators disclose anonymized data to 
others widvr. their organization 16 Particularly within large organizations, 
data collectors may want to p.otcct data subjects' privacy even from others in 
the organization. 17 For example, large banks may want to si arc some data 
with then marketing departments, but only after anonymizing it to protect 
customer privat y. 


Lawrence Lessm's foui leeularors of behavior—norms '< ncl ethics, the 

° ^ .i(t 

market, architecture, and law—each compel administu-iors to anonymize. 
Anonymization norms and ethics often operate through best practice 
documents that recommend anonymization as a technique tor protecting 
privacy. For example, biomedical guidelines often recommend coding genetic 


I L Rukhvi! Institute, of Health, HtPAA Privacy Units for Researchers, hit p//pi ivncyruleand 
rjseaich.nih.i:o\7f;iq asp (List vusual hire: tZ, 2010) 

12 £.g , Posing ot Susan Wojcicki, Vkc Pies Jont Pivnluct Management to Fix* Officrul Google 

Blog, Making Ads More Interesting, http/fc«xifdehioghlogsp»t.ami/2009/0'/makmg'aos »nore- 
interest ing.html (Mar. 11,2009, 2:01 f;ST) (announcing a new G<x>glc initiative to tailor ads to w thc 
types of sites you war auu the pages you view"). 

13. E.g., In te Application of United States lor an Oielcr for Disclosure of Telex u in munkat ions 
Records and Authorizing the Use of a Pen Register are! Trap and Trace, 405 F. Suj a. 2d 435 (S D.N.5. 
2005) (granting the government the aurhoiity to c<xnpcl a provider to provide inhumation suggesting 
the location of a customerV cell pl>on»'). 

14. See infra Part i B 1 (describing three public releases of databases). 

15. See CLAY SKIRKY, HLRL COM US EVUIYBOOY. THL POWER OY ORG ' NIZING WITHOUT 
Organizations • 200 -s), j a Mts surowi toe: Tut w isoom op Crowds (2(04). 

16. See Posung rf Philip Lcns.ser\ to Google Blogoscopcd. Got>glc-Intern*l Data Restrictions, 
hup:/A , logr>scopce^ coir/archive/200/-06'27'n27.Ltml (June 27, 2007) (detailing how Google and 
Microsoft limit inwnxal access to scresitive data) 

17. See id 

Ifi. See LAV'RHKCL Lassie?, GOTH: VLRMt )N 2 0, at ! 21 (2006) (listing foi r regulators of online 
behavior: markets, norms, laws, and architecture). 
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data—associating scored genes with nomdentifymg numbers—co protect 
privacy. 1 * Other guidelines recommend anonymization in contexts such as 
electronic commerce/ 0 internet seivice provision, 21 data mining,” and national 
security data sharing Academic leseaichers relv heavily on anonymization 
co protect human reseaich subjeers, and their research guidelines recommend 
anmymizacivHi generally,* 1 and specifically in education,* 5 computei network 
monitoring,* 0 and health studies/' Professional statisticians aie duty-bound to 
anonymize data as a matter of professional ethics Ia 

Maiket picssuu'* sennet imes compel businesses to anonymize data. For 
example, companies like imnc.com and wcsabc.com provide web'based 
personal finance rlacking and planning/ 0 One way diese companies add 
value is by aggregating and republishing data co help their customers 
compare the a spending widi that oi similarly situated people. 30 To make 
customeis comfot table with this type of data sharing, hoch mint.com and 
'vcsabc.com promise to anonymize data lx?fore sharing it 11 

Architecture, defined in Lessig's sense as technological constraints” often 
forces anonymizatkx*i, or at lease makes anonymization die default choice. As 
one example, whenever you visit a website, the distant computer with which 
you communicate—also known as the web set vet—records some information 


19 Rivhetio Ardor'ii*, Po/>id<m<ai i/viiinc f\itril\i\c\ A SU rO/i allonge u> Ftm»a.i m 

Ethics and Law or Inticluxtual property 39 (Uvisuan Lenk, Nils H^-mc & PjoK-iio AnJomn 
eds., 2007) 

20 . Alex Rerson & Larr\ ixxiov, Master Data Management and Customer Data 
IMITORATION RjR aGLORAC ENTTTsHUSK 338 -*? ( 2007 ) 

21. See tafia Parc 11. A. 3 b 

32, G.K CUiTA, IixTRiTHJCTION TO0 A TA MINING WITHCaSL STUDIES 432 (2C06). 

23 MAtucLt Foun’i >, Task* Force, Creatin'* . \ Trusted Network ior Homeland 

SlV.'URITY 144 (200)), aixiiLi^L' i 'L lu.f* //u w w marble twg/JinvH o. k E ib le_.L*»er >f nstl je|wc2 JulLrcpniT.pJf. 

24. See The SAGE EncYOLOTEIXA OI QUAUTATR E Re$LARCi ( METHODS 196 (Lisa M 
Given ud . 2008) (entry lor “D.hu Seeunc/') 

25. LOOISGOI1EN ET AL . fU^LARCl l ML 1*1 lOOS IN ElXXZA’I lON 189 (200)). 

26 See Rooming I 5 :**'*** e» .*!., The Dei'*I arJ Pen Let Tt ace Anunvnuzaimv, 36 COMP. COMM. 
REV. 29 (2006) 

27. Inst, or Med., Protectno O at a "Privacy in Health Services RxsE.AitCH 17$ (2000). 

28. European Union Aincle 29 Data Piocecnon Working Run, O/imion 412007 un the 
Concef* of Personal Data . 01248/07/GN WP 136, at 21 (June 20, 2007; {hereinafter 200? Working 
Parry Opmioo|, uitfdaMe at litrp7/cc curopj.eii/;usticc_]HMuc/bj/pn\<icyAkx^/\v'p 1 ^es/2007/upl36_oii pdf. 

29. See Eric Bendcrofl, Spend nuJ $au* riie S< etal Way —Personal/ Tec/mulo^, SEATTLE TIMES, 
Nov. 8, 2038, ar A9. 

30. SeeCliiolyn Y. JN’uwm, Online Social NenmLtn J ' Meeu fVr&rjtuif Fmiijugc, N.Y TIMES, Aug. 
7, 2007 ,tiiwlohte at hctp://www.nyiimcs.coin/2007/ i 08/07/rcdmolo‘*y/07ilu*Jcbc.I.70132iJ.luml. 

3f. See, e £ , WesaJv, Secutiiy and Privacy, http , //w\vuMVcsriK‘.cimi/p*ii*c/secur«y (last visited 
Jtmo 12, 2010), Mint com, How Mint Personal Finance Management Ptotects Your Financial Safety, 
lvtp.//\vww.minr eom/pnv:icy (ia%r viMretl June 12. 2010). 

32. LESsiC, Aiipm note 18, at 4 
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about iyouc visit into what is callcc! a log file. 1 1 he vast majorit r of web servers 
collect much less than the maximum amount of information lvjtiablc about 
/our visit, not due to the principled privacy convictions of th :ir owners, but 
because the software saves only a (unite J amount of inform tin i by default.' 14 

c. Faith in Anonymization 

Many defend the piv'ncy-j protecting powei of anonymization and hold it 
out as a best praedee despite evidence ro the contrary. $n on • best practices 
guide, the authors, after cursorily acknowledging concerns a bo it the power of 
anonymization conclude that, “(w)htlc we »*crognizc that (rcidc infication] is a 
remote [possibility in some situation*, in most eases genetic research data ano 
nymization will help to ensure confidential uy.’ ,,s Similarly, Google has said, 0 {i]t 
is difficult to guarantee rprnpiete anonymization, but we Ixdiev* (Google’s log 
file anonymization techniques) wilt make it very unlikely isc r s could be 
identified.” 36 

Government officials and policymakers embrace anonyir izatton as well. 
Two influential duta mining task forces have endorsed anonymization. In 
2004, the Technology and Privacy Advisory Committee (TAP/vC), a Defense 
Department—led group established :n the wake of controversy o /er the govern¬ 
ment’s Total Information Awareness piogram, produced an irlucntial report 
about government data mining. 37 The icport recommends monymization 
whenever practicable’’ and thus restricts all of it^ other rec ommendations 
only to databases that arc not ‘known or reasonably likely to me luclc personally 
identifiable information. ,,M 

Likewise, the Markle Foundation taskforce, which included among its 
members now-Attorney General Erie Holder, produced a s milar report. 19 
Like TAPAC, the Markle Foundation group concluded that “anouymiung 
technologies could lx: employed to allow analysts to perform link analysis 
among data set? without disclosing personally identifiable info fruition ... [so] 


33. Srumuv Spa ini ioijr & Re tot Eckstein. Webmaster in a Ninrsn ll 456—59 (2002). 

34. Apache, A.p;ichc HTTPSerrer Vcimoii 1.3 Log Files, http://httpcl.apnc. ie.otg/Joa/1.3/logs, 
html (last visited Jun: 12, 2010) fdcseribinu thctlcfauV "common log fumar" which og> less information 
than the alternative "combined log foriiat") 

35. Aol.E.Shamoo& David I). Resnick. R lsionsiole Conduct ex- Res arch 302 (2009). 
V*. Chris Srghoian, DebitnLing Googfcs Log Anoirrimz<i(irm Pro/ifigcrndrt Surveifltmcc State, 

CNfcT News, Sept. 11, 7008, hrrp://nrws enct.com/830M3739_3-10038963-4( he ml. 

37. Technology & Privac\ Advisory Comm., Report: Saeeguai ding Privacy in 
THE FIGHT against Terrorism 35-36 (20Q4),dt’<itfeiMc cii hup://www nlt.org/ ccurity/usupiuriot/ 
20040300r,»jT;ic^xlf. 

38. fd.;tt 50 (Recommendation 2.2). 

39. See Markle Pound. Task force, supra note 23, at 34 
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analyses can perform their jobs and search for suspicious par terns without the 
need to gain access to personal data until they make rhe requisite showing 
for disclosure.” 40 

Many legal scholars sluue this farh *n anonymization.* 1 Ira Rubinstein, 
Ronald Lee, and Paul Schwartz state a '‘consensus view” that “fw]«th the goal 
of minimizing the amount of personal information revealed in the course of 
running pattern-based searches, the anonymization of data (such as names, 
addresses, and social security numbers) essential ,rU Barbara Evans, a promi- 
ncnc inedicaiprivacy scholar, speak* about ‘ anonymized” data “chat have had 
patient identifiers completely and irrevocably rcinoveu before disclosure, such 
that future reidentificauon would be impotable”" Manv other legal scholars 
have made similar claims premised on deep faith in robust anonymization.* 
The point is not to criticize or blame tne>e people foi dusting ar.onvinizaciou; 
as we will see, even computer scientists have been surprised by the success of 
recent attacks on anonymization. 

2. Anonynuzacion Techniques: The Rekascand-Foigec Model 

How do people anonytnize data? From among dre scores of different ano¬ 
nymization techniques, 1 will focus on an important aiul large subset that I 
call release-and -forget anonymization * As the name suggests, when a data 
administrator practices these techniques, she release* records—either publicly, 


40. Id :»r >4. 

4i ReguLnns do fiK» Sdd tnjiCt Parr H.A (lwmy mivs and icguLcimv, ih,K assume rolvisr Jinonymi- 
zacion). 

42. if.i S. {lubiascoiu ot ,i!, Daui Mamu> and internet Pxi/'/inj Emerjjnig Kvgidrttory cind 
Ttctovtogcal Aftmuefa, 75 U O U L. Ri-V. 261,266, 263 (2C08) 

43. Barham J. E\ am, C«mgx?.\\’ New lnfui\tuu.umil Kitxlei ofMcdicat Putxtcy, 84 NOTRE DAME 

L. Rev. 585,619-20 (2009) Pro/cssoi tvatv> has climbed that the queue did nm reflect her personal 
opinions about die feasibility ol definitive anonyuuzjuon hut hkIvlt reflected lv.»w ’.he term ‘anonym:- 
smim' has commouly been tindcnronJ hy regulators and orhers m hmcrhtcx Emm I from Ruhmi Evans. 
Assix:. Univ of Hnusum Law On . ro Paul Ohm. Ass,x Piofev,oi. Umv ofCnlomdo »aw ^d\ 

(July 21, 2010) ion hie \\ ;, h audit i) 

44^ See, e.g , Fted H Cate, Ctnwnmem Data Mining Tiie Need fo\ a Ugal FtameivoiL, 43 HaRV 
C-JR.-Cj.L. L. Rev 435, 4h7 (2008), Matthew P (jorilon, A Lcgnl Duty io Disclose Inthvuliutl Research 
Finding* to ResearJi Subjects'. M FOODd. DRUO LJ. 225, 258-59 (2009), Barr ha Mai iu Knoppors 
ec iit., Ef/iiarf issues m Second,ny Uses oj Human Btobfitcal Mataial From Mass Disasters. 34 J L MED. 
& ETHICS 352, 353 (2006), Susan M Wolf ct al., Managing /naVLurnl Findings in Himitm Subjects 
ffcawrdfi. Analysts ami Rccommcmltuums, 36 J L. MCI). & ETHICS 219, 226-27 (2008); Irfan Tukdi, 

Comment, Tumsatknwc Turbulence Vie Pawengei Name Raoul Conflict. 45 HOUS. L REV 587 618- 
19(2008). 

4^* Odvi means t»f making J.ita more anonymous include releasing only aggregated statistics, 
interne rive techmqucv, in which .Klminttniiriirs answer drciieJ que^rtons oix Ivlialf of reseaichers, instead 
of releasing itwa m its eiwuery; and “differential privacy" techniques, which protect privacy hy adding 
carefully calibrated none to the data See discussion ni/m Part II 1.0 2. 
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privately to a third party, oi internally within her own orga rzation—and 
then she forgets, meaning she makes no attempt to track wF at happens to 
d>c records after release. Bather than blithely put her data subjects at risk, before 
she releases, she modifies snnv of the information 

l focus on release-and-foiget anonvmhnnon for two reasons. First, these 
techniques are widespread/ 6 Because they promise privacy while allowing 
the broad dissemination of data, they give data administrators everything they 
want without aavcompromise*, and dam administucors heve embraced them. 
Second, diese techniques are often flawed Many of die recent advances in the 
science of rcidcntifkation target rclcasc-and-forgct anonymuatior in particular. 

Consider ?ome common relcasc~muMoiget techniques. 4 * First, we need 
a sample database tv> anonymize, a .simplified and Kypotheti :al model of a 
hospital’s database for tracking visits and complaints: 50 


TABLE l.O i iginal (Nonnnorq mized) Data 


— - 

Name 

Race 

Birth Date i 

Sc\ 

ZIP 

Code 

< Complaint 

Sean 

iilack " 

9/20/1965 

Male 

02 M1 

Sh irt of bi each 

Daniel 

Bind: 

2/14/1965 

Male 

02141 

(Tiest pain 

Kate 

Black 

10/23/1965 

Female 

02138 

1 ’a inful eye 

Mai ion 

Bind 

8/24/1965 

Female 

02128 

Wheezing 

Helen 

Black 

11/7/1964 

Female 

0213(8 

A rhing joints 

Reese 

Black 

12/1/1964 

Female 

02138 

■ 3hest pain 

Forest 

White 

10/25/1964 

Male 

02138 

Sh 'irtofhicnth 

Hilary 

While 

3/15/1965 

Female 

02139 

H yper tension 

Philip ! 

White 

8/13/1964 

Male 

02139 

Aching joints 

Jamie 

White 

5/5/1964 

Male 

02139 

Fever 

Sean 

White 

2/13/1967 

Male 

02135 

Vomiting 

i . i 

Adrien 

White 

3/2VI967 

Male 

02138 

Back pain 


46. See Laki V.S Lakshmanan & Raymond T Ng, On Dwefosuu" Rts!' Ai Hy s/s of Anonymized 
/icmsm m c/vc Preset cc of Prior Knou&ifcc, Z ACM TRANSACTIONS ON KNOWLKHC b DISCOVERY FROM 
Data 13, I 5:2 (ZOXS) (“Among the veil-known rrimfonnation techniques, aivyr yim^unon is arguably 
the most common ”). 

47. Id. ("Compared with other transformation techniques, atKmyn»iration i simple to carry nut, 
as mapping objects bac k anti forth is c isy ”). 

48. See Justin Bi ickcll 6. Vitaly Shmatikov, T/ic Cost of Privacy Destruction of Data-Mming 
UtAty m A non ymqcV Dcu * t Publishing, ni /OOP KNOWLLlXiC DISCOVERY & DATA MIL ING CON1-. 70, 70. 

49 The following discussion 1? only a survey; it will make sm expert of no one. 

50. All of flic hyjTothctical cfat i in this table a^tdc from the “Name" colunrv i comes from a paper 
by Latanya Sweeney. Sweeney, su(no note 8, ar S67 fig 4 Whcic the first name come from is left as 
an exercise lor the read* r 
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Using standard terminology, we call this collection of data a table; each 
row is a row or record, each column is a column, field, or attribute* identified 
by a label (m bold) called a field name oi attribute name; each record has a 
particular value lor a given attribute 

To protect che puvacy of the people in this table, the hospital database 
administrator will take the following slops helote releasing this data: 

S/ngftng Out Identifying Informal it'n- Fust, the administrator will single 
out any holds she dunks one can use to identify individuals. Often, she will 
single ouc not only well-known .donateis Lla name and social sccuuty number, 
but combinacions of fields that whoa considered together might link a record 
m che table to a patients identity. 5 ‘ Sometimes an administratoi will select the 
potentially identifying fields herself, either intuitively (by j jointing types of 
data that seem identifying) or analytically (by looking for uniqueness m the 
particular dam). Foi example, two people in our datal esc shewe a birth date, 
so the administrator must treat birch dace as an identifier. 53 If she did not, 
then anyone who knew Forest’s birth date (and who knew Forest had been 
admitted to tl\e hospital) would be able io find Forest in the anonymized data. 14 

in ochei cases, an administrator will look to another source—such as a 
statistical study, company policy, nr government regulation—co decide whether 
or not to neat a particular field as identifying In this case, assume the admin¬ 
istrator decides, based on one of these souices, to treat the following four fields 
as potential identifiers* name, hirth dace, sex, and ZIP code.*' 

Si<pf^*exs/on: Next, die administrator will modify the identifying fields. She 
might suppress them, removing the fields from die table altogether 56 In our 
example, die administrator might delete all four potential identifiers, producing 
this table: 


51 O.AVils PO* rU, hlUNNINC LU7AH KsL 3S~| 1 (2005) 

52. Glaudio Boa in i ci J, T/w fvu/e of Qiitbi-Meuri/ieis ni k-Aiioiiviiify Revolted (DICu Untv. 
Mttin Tech. Rep. RT-11 -Ot), July 2006). 

5 >. See ul fiecutw: rhe.>e .vKh i>i klenntiei'. do nor link dnoaly to idennrv, knmicIvis .Mime times 
refer ro mem as ijuj$i-idcn;.i tiers 

54 . Tku Lu*je numbers ul people couU know Fotcm's birth date u> l,u In mu an idle worry. Today, 
more chan ever, people .ire sharing rhis kind of information u idely. For example. *‘.ir lease 10 milium 
U.S. rosdeoTs make public 1\ available oi intcr.ihlc rhur binhJ.e information on thur lsoci.il networking) 
online profiles M Alessandro Acquistt Ralph Gross, SSjV Sfiitb-FAQ, hup://www lie ins cnui.edu/ 
~aoquisci/ss<iscudy (fast vUtced June 12, 2010) 

55. .See infill f v .ur I b.l.h (Jisuissing lOse.uch about ibing the tomhi nation of ZIPcnJe, hirrh date, 
and sex as an identifier). 

56. Sweeney, stiprn tuxe 6, ac 3 
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TAIU£ 2: Suppressing F° t,r Identifier Fields 


Race 

Complaint 

Blade 

Short of breath 

BUcl 

Chest pain 

Black 

Painful eve 

Pinch 

Wherein*’ 

Block 

Aching fomts 

Black 

Chest pam 

While 

Sliorc of breath 

Wlvic 

Hypcrrension 

While 

Aching joints 

While 

Fevci 

White 

Vomiting 

While 

Back pain 


Here we first encounter a fundamental tension. On the oi tc hand, with 
this version of the d.ita, we should worn* bttle about privacy, evei. if one knows 
Forests birth date, sex, ZIP code, and race, one still cannot learn Forests com 
plaint. On the chu hand, aggicssivc suppression has rendered tliis data almost 
useless for research. Although a icscaichcr can use the remaining data to 
track the incidence of diseases by race, because age, sex, and residence have 
been removed, the icscarchcr will not be able to draw many other interesting 
and useful conclusions. 

Generalization: To better strike die balance between util it 1 r and privaev, 
die anonymizer might generalize rather than suppress identitiers This means 
she will alter rather than delete identifier values to increase privacy white 
preserving utilit/. For example, the anonymizer may choose t ■> suppress the 
name field, genenlizo (he 1‘Tth date to only the year of birth, and generalize ZIP 
codes by retaining only the first three digits/ The resulting clcta would look 
like this: 


57. .See m/ra Part Ilf.R.I (discuw ng the re Ian >n$hip between ur il i ty and pri r acv) . 

58 Sweeney, supr, i note 8, at 3. 

59. Uixlcr the HIPAA Privacy Rule, these three changes would qualify the resulting table as 
dcklcntified health infoi mat ion. Set U.S Health & Human Set vices. Stand, nth for Privacy of 
Individually Identifiable Health Information, 45 O.F.R $$ 160, 164 (2009) F< e more m Ml PA A and the 
Privacy Rule, see ro/m Part 11 A 3 a. 
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TABLE 3: Generalized 


Race 

B'rth 

Year 

Sex 

ZIP 

Code* 

| 

Complaint j 

, Black 

1965 

Male 

021* 

Short o f breath 

Black 

1965 

Male 

021* 

Chest pain 

Black 

1965 

Female 

021* 

Painful eye 

: black 

1965 

Female 1 02 1 * 

Wheezing 

i Black 1 

1964 

Female 

021- 

Aching joints 

Black 

1964 

Female 

021* 

Chesr pain 

White 

1964 

Male 

021* 

Shoir <4 breach 

: White 

1965 1 

Female 

021* 

Hyperrension 

White 1 

1964 

Male 

C21- 

Aching joints 

White 

1964 

Male 

021* 

Fever 

White 

1967 

Male 

021* 

Vomiting 

Wi t ice 

1967 

■ ■ 

Male 
— - ... 

021* 

Park pam 


Now, even someone wlm knows Forests buck date, ZIP axle, sex, and 
race will have trouble plucking out fv)re>t , s specific complaint. The records 
in this generalized data (Table 3) are more difficult to reidcncify than they 
v/ere in the tuiginal data (Table l), bm lesemchers will find this dam much 
more useful than the suppressed data (Table 2). 

Aggregation: Finally, to bettet understand what qualifies as release-and- 
icrget anonymization, consider a commonly used technique that docs not 
obey release-and-forget. Quite often, an analyst needs only summary statistics, 
not raw data. For decades, statisticians have investigated how to release aggre^ 
gate statistics while protecting data subjects from reidencification. 60 Thus, if 
researchers only need to know how many men complained of shortness of 
breath, data adminisniKots amid release this 

Table 4: Aggregate Statistic 


Men Short of Breach 


60. E.v., Nabil R. Adam & John C. Wuriiiiann, Security-Control Methods jot Statistical Databases: 

A Oim/wnmwe So«b, 21 ACM COMHJTIKC; SURVEY SIS (1989); Tore Daleniin, To iWs a 
MedtodoL^ fin X musiicel Disclosure Omtrol, 15 Sl'.Y] iSTlSk TiliSKRlfT *129 (1977) (SiwJ.); I.P. Fcllegi, 
On rfw Question of Statistical Con/iJoino/iiY, 67 ]. AM STAT ASS'N 7 {1972) 
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As it happen >, Forest is one of the two men described by this statistic—he 
complained about shortness of Ft cadi—but without a lot of additional infor¬ 
mation, one would never know. His privacy is secure. 01 

Privacy lawyers tend to refer to reiease-and-forget anonym ration tech¬ 
niques using two other names: deidentification ‘ and the removal of 
personally identifiable information ( n ll}*' De’dernificadon ras taken on 
special importance in the health privacy context. Regulations implementing 
the privacy provisions of the Health Insurance Portability and Accountability 
Act (HIPAA) expressly use :hc term, exempting health piovidcrs and 
researchers who deidentifv data lx:fore releasing it from all of HIPAA’s many 
onerous privacy requirements* 

B. The Present and Future: Easy Re identification 

Until a decade ago, the robust anonym Nation assumption worked well 
for tvetybocly involved. Data administrators could protect privacy * vhen sharing 
data with third names; data subjects o»u!d rest assured that their secrets 
would remain private; legislators could balance privacy and oihcr interests 
(such as die advancement of knowledge) hy deregulating the 'radc in ano¬ 
nymized records/ 5 and regulators could easily divide data hanvilers into two " 
groups: the responsible (those who anonymized) and the irrespt risible (those 
who did not). 

About fifteen yeers ago, icscatchers siartcd to chip away at the robust 
anonymization assumption, the. foundation upon which (his smte of affairs 
has been built. Recently, however, they have done more than chip away; 
they have essentially blown i- up, casting serious doubt on he power of 
anonymization, proving its theoretical limits and establishing what I call the 
easy reklentificatinn result. Thk is not to say that all anonymization techniques 
fail to protect privacy—some techniques are vciy difficult to reverse—but 
researchers have learned more than enough already for us to reject ano¬ 
nymization as a privacy-providing panacea. 


61. R>r additional discussion of puvney techniques other than rclcasc-and-fo ijct, see infra Part 
III.B.2. 

62. NationaI histt tutes of Health f k -rrIcnti/ymjj Protected HeaWi J nfamuxtitm. Under the Pn \vcy 
Rule, http://priviicynilcandrcscarch.nih.ttn/pr_08 asp (last ^ isitcd June 12, 2010). 

63. Erika McCaujster et al Nat’l Inst or Standards & Tech . 5 pccial Pub. No. 
0OO-I22,GUIDE TO Pl< OTIX TING THE OONHDLNTIALrn (X* PERSONALLY iDEHTIflAB £ INFORMATION 
(HI) (2010), available at http://o>rc.nist.rov/puhlKartons/ntstpiih.V0OO*t22/sj>0OO-li 2 pi If. 

64 45CF.R j§ 164.502(d)(2), 164 5l4(aMb) (2009). See m/m Part II.A. I a. 

65 See infra II A 
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1. How Three Anonymized Databases Were Undone 

Consider three iecetv:, spectacular failures of anonymization. In each 
case, a sophisticated entity placed unjustified faith in weak, releasc-and-forgct 
anonyntizaiuxv These stories, winch I will use as examples throughout this 
Article provide two important lessons: The\ demonstrate the pervasiveness 
of releas^-aad-forget anonymization »*ven among supposedly sophisticated 
data administrators, and they demonstrate the peril of this kind of ano 
nynuzAunn m light of recoin advances m icidentificnaon 

a. The AOL Data Release 


On August 3, 2006, America Online (AOL) announced a new initiative 
allied ‘‘AOL Research. 1 To ‘‘em(xac(cj the vision of an open research com mm 
ntty,” AOL Research publicly posted ro a websire twenty million search queries 
for 650,000 users of AOLs search engine, summarizing three months of 
activity.*’' Researchers of internet hehavior rejoiced to recenv th.s treasure 
trove of information, the kind oJ inioruutioii that is usually treated by search 
engines as a closely guarded secret A The euphoria was shore-lived, however, 
as AOL and the rest of the world soon learned that search engine queries arc 
windows to the soul. 

w 

Before releasing die dam to the public, AOL had tried to anonymize it 
to protect puvacy. k suppressed any obviously identifying information such 
as AOL use: name and IP address in the released data. 0 ’ In order to preserve 
die usefulness of the data for research, however, it replaced diese identifiers 
with unique identification numbers diat allowed researches to correlate- 
different searches to mdi\ idual users. w 

In rhe days following the release, hloggeis poied through the data 
spotlighting repeatedly the nature and extent of the pi ivaey breach. These 
bloggers chased two different prizes, either attempting to identify users or 


66. Posting of AlvJnr Oh»mJhury, cabJunShol com, in SlGlR-IRLisr, uhsr-ediroil3iacm.org, 
http://silaka.es inuc.Ldn/xiocn/iu>l/20060803_SlG'lRLisrIzinail.txt (Iasi vested July 19, 2010). 

67 id Olivers have reported that tlu data contained thiitv->ix million entries. Paul Boutin, 
You Ai<‘ What You Sean l\, $LATL, Any 11,2006, luip.//u u w si a re tom/id/2 M7590 

68. See Kane Halner, ftewui Juris Yc-mu to Uve AOL Lj“ 1, hue They Hesitate, N.Y. TIMES, Aug 2 L 
2006, at Cl {describing the difliciiln iliat academic tocaichers experience accessing raw search data). 

69 See Michael Bari wo & Tom Zeller, Ji , A Face Is Exfvwd fen AOL Searcher Nu 44 177-/9, 
N.Y. TlVttiS, Any 9, 2006, su A1. IP nJJic&is, discussed mfui in Pait 11 AT b, :ue numlxiis thar identify 
compart! !> on rhe internet and can be used ro track mremer activity 
70. Barkuo &. Zellei, Jr., mi|)ju note 69 
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“huntfmgl for particularly entertaining or shocking search histones.” 71 Thanks 
to this blogging and subsequent news repotting, certain user i Icndfication 
numbers have become sad littl*' badges of infamy, associated wth pitiful or 
chilling stories. User “No. 3505202 askfedl ahout ‘depression and medical 
leave.’ No. 7263042 typefd] ‘fear that spouse contemplating cheating.’” 
User 17556639 searched for “l.ou to kill you** wife” followed by a string of 
searches for things l»Le “pictures of dead people” and “car ciasb photo.”'" 

While most of 'he blogosphcic quickly and roundly condemned AOL, 
a few bloggers argued that the iclcascd data, while titillating, did not violate 
privacy because nobody hac! linked actual individuals with then anonymized 
queries.” This aigument was quickly silenced by New York Times reporters 
Michael Barham and Tom Zeller, who recognized clues to U,er 4417749’s 
identity in queries such as ’“landscapers m Lilbum, Ga,’ scvcial jx c>plc with the 
last name Arnold and 'homes sold in shadow lake subdivision gwmnett county 
gcorgia ”’ 7<i They quickly * racked down Fb.clma A r no!d, a sixt^-two*-year-old 
widow from Li lb am, Georgia who acknowledged that she had authored the 
searches, including some mildly embarrassing queries such as “rumb fingers," 
“60 single men ” and “dog that urinates on everything.” 77 

The fallout wai. ov/ifi raid crushing. AOL fired the reseirche who released 
die data and also hk supervise: 79 Chief Technology Officer Ma uccn Govern 
resigned. 79 The fledgling AOL Research division has been siicnced, and a 
year after die ini idcnt, the group still had no working website. 


71. id. Thc.sc twin goals demonstrate an important information dicliotwmv re* wireJ hfen When 
someone talks about the sensitivity i>t data, they ma'* mean that the information can cause harm if 
disclosed, or they mav mean that the inloi (nation can !x uted to lu\k unonvmui d inlor nation to identity. 
As we will sec, regulators often misunderstand tlx* difference lx tween iIh: .sc two clascs of information. 


.See rn/ra Fart II.A. 

ll. See Rarbaro & Zeller, Jr., inf ra n<HC 69. 

71 Markui Fi nd, AOt 5e.in.fc Drt<i Sfcmvs l km Pirmnmg :« Qxnmit Murder, Paradigm Soyi 
(At^. 7, 2006), http'7/pk rrtyof fish.wordntcss conV20C6/08A37/aoL5carch-da(a-sho .vs-users-ptanning- 
to-enmm • t-munlcr. 

74. See, e.£.. Posting of Mtcha.4 Arrington ro TechCninch, AOL Proud y Releases Massive 
Amounts of Pmtite Drtto (Aug 6, 2006,l, littp://w*\vw.tcxhcmtKhccW2006/(ViA)6/a»»l-proudly-rcicascs- 
mosstvc'amounts-of'user'>c well-data ("The titter stupidity of this is staggering. ). 

75 Greg Linden, for example, complained that "no one actually lias come i p with an example 
where someone could he identified. Jim the theotetKt.il possibility is enough to create a privacy fucstorm 
in some peoples muxls." Greg Li nden, A Cfctfutc lo Pfcrv V7wfc Orp Daw Gccknig With (. ug, hup://glindcn. 
blof^poc com/2006^8/cn-mcc-io-plav-■* 'th-hiK-d.ua html (Aug. 4, 2006, 19:53 0 

76. Rarharo fit Zeller, Jr., supra note 69 

77 

78. Tom Zeller, Jr, AOL Execute t Quits After Porting of Search Daw. RY. Tl) tUS, Aug. 22, 2006, 
hufn/jfwww. nvtimes com/2006i08/22/lcchnology/22ilu-aoI.2558731 -html. 

79. /dl 

80. Giris Sojfioirin. AOL, Netf'x and the End of Ofwn Access m RescorJi £>»• i, Sim-affcmcc Suite, 
CNtT NtWb, Nov. 30, 2007, hup7/ncws end com/8301 * 13739_3-9S26608-46 ht ul 
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b.ZIP, Sex, and Birch Date 


Recall hom the Introduction the study by Lacanya Sweeney, profcssoi 
of computer science, who crunched 1990 census data and discovered chat 
S/.l percent of people in the United Stares were uniquely identified by 
d>eir combined five-digtr ZIP code, birrh dare (including year), and sex. 81 
According to her study, even less specific information can often reveal identity, 
ns 53 percent of Ameucan citizen-* ate uniquely identified by their city, birth 
date, ant! .sex, and IS percent ny then uuuuy, hndi date, and se c/' 

Like the reporccis who discovered Yhum:. Arnold, Dr. Sweeney offered 
a hyper-salient example to duve home the power (and the threat) of reiden- 
tification techniques. In Massachusetts, a government agency called the 
Group Insurance Commission (GIC) purchased health insurance foi state 

employees. At some point in rhe mid-1990s, G It_decided to release records 

summarizing e^ery state employee’s hospicai visics at no cost to any researcher 
who requested them.* 4 By removing fields containing name, address, social 
security number, and other “explicit rienuhers,” GIC assumed it had protected 
patient privacy, despite the fact dui “iKXiUy one bundled attributes per" patient 
and hospital visit were still included, including the critical rrio of ZIP code, 
birth date, and sex.* 1 

At the time that GtC released rhe data, William Weld, then-Gomnor 
of Massachusetts, assured the public chat GIC had prorected patient privacy 
by deleting identifier:.^' m ’espouse, then-graduate student Sweeney started 
hunting for the Governor’s hospital records m the GIC datad 7 She knew that 
Governor Wekl resided in Cambridge, Massachusetts, a city of fifty-four 
thousand residents and seven ZIP axles For twenty dollars, she purchased the 
complete vote: rolls from the city of Cambridge—a database containing, 
among other things, the name, address, ZIP code, bath dace, and sex of every 
voter. By combining this data with the GIC records, Sweeney found Governor 


Si. St'CcPcv, .ukc A suhsitju^ni oiiivK r Lccd iIk mi mix r «u 61 percent (tor 1990 
census dara) and 63 percent (lor 2000 census data). Gollc, supra note 4, at I 

82. Sweeney, supra noro 4 

8 i. Massachusetts Exccumo 0(1 kc lot Adi” hush '.non and Finance, VTlio is the GIC ? , 
htcp7/mas^o\7iii<- {follow “Who is the GIG’** h>p^rlmL) (last visited June 15, 2010). 

^4 iLLomuwruhutons to hleuttjy iiid Ctini/Ml Putvicv Problems in the Goinnioniivn/i/i* Hc'fliitif 
wi H.tf 35 1 Bcfthc t/k* H. Select Comm on Informaium Security, 189th Sess (Pa. 2005) (.sr.ircinem 
ot Grunya Sweeney, Associate Pinlessui, Cnria^te Mellon UniveisirvJ.mttfljMciic htrp7/d.iraprivacy lab. 
tKg/Jataprivacy/talks/Fhek'05-10 html 

S3 id 

86. Homy T. Grecly, The Uneasy Ethuif L'vi Utyd l Wferpmnintp of Larye-Scide Oicnomu. Bioha>\k\ 

8 ANN. REV.GCNOMICS&. HUM. OlzNLTK S 343. 352 (2007) 

87. M 
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Weki with ease. Oaly six people in Cambridge shared his birth datonly three 
were men, and of the three, only he lived in his ZIP code.** In a theatrical 
flourish, Dr. Sweeney sent the governors health records (including diagnoses 
and prescriptions) to nis office. 9 

c The NetfUr: Prze Date Study 


On Octobei 2, 2006, about two months after the AOL deb* ck\ Nelflix, 
the “worlds largest online movie rental service,” publicly ieleased one 
bundled million records revealing how neatly a half-million of us users had 
rated movies from December 1999 to December 2033. 90 In each record, Nctflix 
disclosed the movie rated, the rating aligned (riom one to live st irs), and the 
date of the rating.” L ike AOL and G1C, Ncrflix first anonymized the records, 
removing identifying information like useinames, but assigning i unique user 
identifier to preserve «anng~to raaog continuity * Thu.., researchers could tell 
that user 13 37 had -a ted Gflttacn a 4 on Match 3, 2003, and Minority Report 
a 5 on November 10, 2003. 

Unlike AOL, Ncrflix had a specific profit motive for re casing these 
records. 95 Nctflix ihiivcs by being able m make accurate »novi« iceonimcn- 
dations; if Netfiix knows, for example, that people who liked Go. toca will also 
like The Lives of Others , it can make recommendations that keep its customer ,n 
coming back to the website. 

To improve its recommendations, Nctflix iclcascd the hundred million 
records to launch what it called the “Nctflix Prize,” a prize tha took almost 
th'cc years to claim. 94 The first team that used the data to signifies ndy improve 
on Nctflix's recommendation algorithm would win one million dollars. As 
with the AOL release, researchers have hailed the Nctflix Priz' 1 data release 
ns a great boon for research, an I many have used the competition to refine or 
develop important statistical theories. 91 ' 


88 Sweeney, 5up a note 4 
89. Crccly, jufn a nine 86. 

90 The Nctflix. Pi ice Rules, http //www nerfhx pnzc.com/nilcs (last visited Ji no 12, 2010) 

91. W. 

92. Nctflix Pric. FAQ, htqr//w\vv.nctflixpnze com/faq (last visited June 12, 2010) (answering 
the question, "Is there any customer information in the dataset that should Ik kcj t private?”). 

93. See Clive Thompson, If You jked This. Yotne Sure la Love That, N.V. TIMES MAG., Nov. 
2.3, 2008, at 74, available at http7/wsvw.n#timcstom/2008/l l/23/nwgaanc/23Ncffltr -t.html 

94. Posting of otevr Lohr, Netjhx tjuilicnge Knit, hut Winua u in Doub~ N.Y. IIMLS BITS BLCKJ, 
http./A>Us hk>ps nytiur s cirn/2009/07/27/nct!ltX'chaHenyc-*eiuls4uit-winncr'is in-dou it (July 27, 2009, 

16:59 EST) 

95. See The Net fin Prize Rules, u<fvra note 90. 

96. See Thompson sufna note 90 
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Two weeks after the data lele.v*?. researches from the University of 
Texas, Arvind Narayanan and Prolessor Vitaly Shmarikov, announced that 
“an actackci who knows only a little bit about an individual subscriber can 
easily identify thus subscribers record if it us present m the [Netflix Pi be] 
dataset, oi, at the very least, identify a small set of records which include the 
subscriber's record.” 3 ' In other words, it is surprisingly easy to re identify people 
m the database and thus discovei all of the movies they have raced with only 
a h-cdo outside knowledge* <>hixic their movic-warching preferences. 

Tne resulting icsearch papei is brimming wah stalling examples of the 
ease* with wmch someone could leidentify people m the database, and has 
been ceiehiated and cited as surprising and novel to computer scientists/* If 
an adveisary—rhe term used by computer scientist/ 1 —knows the piecise 
ratings a person in the database has assigned to mx obscure movies, ,co and 
nothing else, he will he able :o idcntifv that person &\ percent uf die timr. 101 
If he knows approximately when <gi\e oi cake nvo weeks) a person in the 
database has rated stx movies, wiierher or not rhey are obscure, he can 
identify the person 99 percent of die time ,tJi In fact, knowing when ratings 
were assigned turns our to Be so powerful chat knowing only two movies a 
rating user has viewed (with die precise ratings and rhe rating daces give or 
take three days), an adversary can reidentify 6S percent of the users. 103 

To summarize, the next tune youi dinner parry host asks you to liseyour 
six favorite obscure movies, unless you want everybody at the table :o know 
every movie you have ever rated on Netflix, say nothing at all. 

To turn these abstract results into concrete examples, Narayanan and 
Shmarikov compared rhe Netflix rating data to similar data from the Internet 


97 Ai einti Niai.ty.inan Vnrnly Shmarikov, How to OieaL the Anonymity of the Netflix Prize 

DtMosa, AKVlX, Ox 16, 2006, at l, http7/ar\u 10105vl (v.i) [Iierciiuftcr Najhx Prize W) 

Narayanan and Shmatikov eventually puNislied die results in 2008. Ner]lt\ Prize Study, sup)a note 5 

98 In 2008, rix* papei was .maided dvj “AuuiJ ku Onisr.indm» Research in Privacy Enhancing 
T*.ehiV)lopu-> M oi PET Au* id, given jointly ny Miciosofr and rlv* Pi nac\ Con.mksinnei of Onrauo, 
GaauL Piess Release, EMEA IVfeOr, MicnhoTc. Pnvacv in du. Test —E\piu mg cite Limits oi Online 
Anonymity and Accountability <hd> 23. 20)8), hnp Jtwww 11 lien jIt coni/einc.i/pR*centrc/pressreleasei/ 
23072038J^TTSES imp* C.£, Cymhia Du ark, An AJ Omivi Appro «di to Defining and Achieving 
Private Data Anoint*, in PlUV.U A , SUTJKIIV, XNOTlUS'l IN KDD l. 2 {20d&), available at hrtp://wivw 
*pr ingcri ink.cmn/concei ic/85g815513bn1 2 \v06/l u11 1 e \ i pdi 

99 See m/m Parc I 8.2 i 

100. 8y oKcurc movie, ! mean a nun ic oiiimJc rhe rop five hunJied mu vies i.ired m rhe 

database, ranked h> niimk'i of iarmg*. giv cn See genenilh Ncifhx Prize Study. sufna note 5. 

101. Id ac 12 i, 122 hgS The auihuft emphasec dui ihis icmli would apply to most of rhe rating 
users, as 90 percent oi diem rated live oi nunc obscuie movies and 80 percent rated ten or "tore obscuie 
movies. Id. ar {21 ibl, 

102 W .ir 121, 120 fig 4. 

103 Id 
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Movie Database (IMDb), 1 ' 4 a movie-related website tKat also g ves uscr^ the 
chance to rate movies. Unlike Netflix, IMDb posts these ratings publicly on 
its website, as Amazon docs with uscr-submittcd book lacings ^ 

Narayanan and Shmatikov obtained ratings for fifty iMDb users. 1 ' 1 From 
this nny siunplc, 1 '*' they found < wo use is who were identifiable, to a sta f iscical 
near'Ceitiunty, m the Netfltx d .tahase. F^catee neitnei datah use vOinpn.tCti 
a pertect sublet of die othei, one could learn things from Nettto unknowable 
only from IMDb, and vice vers i, including some things these users probably 
did not want revealed, for example, the authors listed movies > iewed by one 
user that suggested facts about bis or her politics f“Fahrenheit 9/11"), religious 
views (“Jesus of Nazareth”), and attitudes k Award gay people CQucu r «is Folk”). 

ixxin after it awarded the first Netflix Prize, the company announced 
that it would launch a second contest, one involving “dcirographic and 
behavioral data . . mcludfingj information abtxit renters age;, gender, ZIP 
codes genre ratings, and previously chosen m<Jvics.” ,K In lat: 2009, a few 
Netflix customers brought a claSvS action lawsuit against tnc company fot 
privacy violations stemming from the release of their informatic n through the 
Netflix Prize 11 The suit alleged violations of v irious state and federal privacy 
laws/ 1 * A few months later, afrer the FTC heaune involved, Netf ix announced 
that it had settled die suit and shelved plans foi the second con cst. 


104 Internet ivi ■: Database, hi tp://wynv.iindb.u>m (U>t visited June I 2, 2' > \ 0). 

105. Ideally, the mu here would ha vc imported the entire IMDb rating databa c to see how uiany 
people they ocxild identify in tiic Netflix data The audio* wen: afraid, however, dint die IMDb terms of 
serv.ee prohdutcJ this. Nct/Iix Pritje Study, supra note 5, at 122 As of Feb. 11, 20( 9, the IMDh terms 
of service pmhihirol, rroi- other dungs, '\hta mining, robots, * ccn scr..pi ig. similar data 
gathering and extraction tixih.'’ Internet Movie Database, IMDb Qipyuph 1 and a*nJitions of Use, 

http 7 /ww^v.imdb.coro/hclp/diow_aui« *c?conJmoiv> (last visited June 12, 2010) 

106 IMDli reports that 57 millior use* visit io site each month. Internet Mine Database, IMDb 
History, hup7/www.urHjh coni/ludp/slvw;_ leaf.history (last visited June 12, 2010). 

107. Net fltx Preje Si iftiy, 5 upra notc 5, at 123. 

108 Id. 

110. Piling of Steve Lohe, Net/I- v Awards $ I Million Pmj; and Starts a New (Contest, N.Y. TIMES 
BITS BlDG, http://bU 5 .HoKs nytuncs.c om/20097)9/2 [ /i ic til tx-awvm.lv1 - mil | ion*p ri c nnd-starts-a-new- 
contcM (Sep 21, 2009, .0*15 EST). 

111. Posting of Ryan Singe!, Nctfl< x Spilled Your Brokcbyck Mountain Secret, Lv unin Claims, WIB ED 
Threat Level Blog, utp ://\vww.w ired eom/thrt-atievel/2009/12/nctflix-privac -lawsuit (Dee. 17, 

2009,16:29 EST). 

IL ? Id 

111. Posting of Sic vc Lohr, Nctfux Cancels OmfM Plans and Settles Suit, N.Y TIMES Bl PS BLCX i, 
http■/ybfts.Wogs.nyniucs com/2010/03/1 i/ncdlix cantels conrcsf-plans-anJ-sett^-smt (Mar. 12, 2010, 

2:46 PM EST) 
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Ic seems wise to adopt this aggressively pessimistic assumption of perfect 
outside information given the avalanche ot information now available on the 
internet 1 ' 3 and, in particular, the rise oi blogs and social networks. Never 
before in human histoiv h.is u been so easy to peer into the piivace diaries of 
many people. 4 Alessandro Acquisn arid Ralph Gross—researchers who 
developed an efficient algorithm for using public data 10 guess people’s social 
security lumbers 125 —cal! "his rhe “age of self-ievelarion ” i2to 

oo|y one example among many in early 2009, many Face book users 
began posting lists called “25 landoui rhings about me/’ 1 ' 7 The implicit point 
of the e v ercise was to b -, rc one’s soul—at least a little—by revealing secrets 
ahouc oneself chat friends would not ahead} know. 128 “2^ random things about 
me” acts like a fleideiuihcation virus 1 '’ because n elicit. 0 a vast amount of secret 
iufonnarfon m a concise, digital format. Tins is but one example of the rich 
outside information avnlahL on soual networking websites. It is no Mirpnse 
diat several researches have already reidentified people in anonymized social 
networking data. 133 


c.The £iasic Principle: CX‘Crossed Hands and Inner Joins 

One computer security expert summarized the entire field of re iden¬ 
tification to me with a simple motion* He folded hi* hands together, interleaving 
his fingers, hke a parishioner about to pra}. This simple mental image nicely 
summarizes the basic redem ibcarion operation If you imagine that your left 
hand is anonymized data, yixir riglu hand is outside information, and your 
interleaved fingers are places where information from die left matches the 
right, this image basically capture.*, how reidentificarion is achieved. 


123 See Lnisshmatun N$j, *u(na note 46, at 13-3 (“The ax-impium chat there is no partial 
[.XKsiJej mtbnmnon one then.* odimply "hrmIivtic ip rim In,finer ci.i.”) 

>24. Of. De-Anon'vi,utrig Sodiil Nan-mis, sh pa now 117, ai 17 '-74 (iWrihu.g shaur.g of 
mion.iauon o'v,mu.J it in social networks) 

125 Aicttuviro Afquttfi & Ralj^i On»s, JVtlcmig Snrin/ Secwruv Nimi/vn jnm Public Him J06 
NaT*l A Caw Su 10975 (2009) 

126 Acquisn & Ouhv ai<pm note 54 

12? Dougl.v*Quei-kjoa. Alt, Ye>, Mow About Mw Haem* '25 ffant/nm Things', N Y TlMl-S Fob 

4. 2009, at E6 

128. See ui 

129. E.g , Michael Km.se, 25 fuoklom T?un»s About Mu u> Kcc/i You Ctmn«, $T PlTERSHURG TIMES, 
Feb 23, 2009, nm/loWe m hap*//\vww'.tamp.ibav.com/fearurcs/luimanm^crcsc/artide978293.cce. 

130. Dc-Ananymizm& Social Nainoi/o, supm mice 117, at 177; x*e u/>o Lars Eicbtrotn, Cyiulua 
Div'ork 6*. Jon Klemhcrg, VClierefoie Air Thu it R5579X> Anmqfintsgf %n'ial Network*, Hidden Patterns, 
tavl Smtctuwl StcgpiYiga()l\?, m U>H11IM Cl WORLD WlfX. WLR OONFBILSCL' PROC. 181 (2007), awtiLtUc 
at lKcp://(xxtai.ac tit urg/ctcation.cfm Vid-\ 24 2 598. 
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Database administrators cull the hand-folding operation an' inner join. 
An inner join b an operation combining two database tableconnecting 
rows from one to rows ftom the other by matching shared information. 
When the rows in the tables represent people, an innet join assume" Mat 
rows in which critical fields match refer to the same person, ant, can oe 
combined into one row ,n the output table Por example, if an adversary has 

one table that looks like this: 


TABLE It: Anonymized Database 


Pvace 

!3irlh Date 

Sex 

ZIF 

Code 

Comply nt | 

i 

Black 

9/20/1965 

Male 

ozwn 

Short of b each 

Black 

2/14/1965 1 

Mate 

02141 ^ 

O test pun 

Black 

.10/23/1965 

^ernak* 

02138 

Fainful eye 

Black 

8/24/1965 

Female 

02138 

Wheezing 

Black 

11/7/1964 

Female 

02138 

Aching j< 'inteS 

Black 

12/1/1964 . 

Female 

02138 

Chest p lin 

White 

~ 10/23/1964 

Male 

02138 

Short of breath 

White 

3/15/1965 

Female 

02 H9 

Hyperter sion 

White 

8/13/1964 

Male 

02139 

Aching j unts 

While 

5/5/1964 

Male 

02139 

Feve 

White 

2/13/1967 

Male 

07138 

Vomit> ng 

White 

3/21/1967 

Male 

021 IS 
_- 

Back p tin 


151. Indeed, m common Jamba e “INNER JOIN" is live command . 

«,operation See. e.?. AUVNBUAUUClLLARNINUSQL 77 (2005), 

SQL: A BCOINNkR’iGUOE 264 <2C0>0; ALUMO T.-WIOR, SQL ALL-IN-ONED 
DUMMIES 109(2007); r.AUL WILTON Sc JOI IN COLBY, PCOINNINO SQL 90-93 ( 
132. Sec BEAULIL'LJWgm note 131 

133 See id. This • implc example necessarily masks some complexity* ror c 
must comoxl with nohf Jata—tree that came h.lse positive, and fahe nq-ativ 
They one probability theory to ' ’tit ”< these k.nch .4 coots See Net(1.x Ft 

5, at 1/0 


iscd to pcrfoi m such 
ROBERT SHELDON, 
RtMTUiNOE FOR 
■•005). 

•ample, reidentiPiers 
s in the inner join. 
xv 5tud%, supm note 
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ReidencifLcation Techniques 


How did Sweeney discover Wilbam Weld's diagnoses? How did Barbara 
and Zeller find 1 helm a Arnold? How did Narayanan and Shmarikov rcidencify 
die people in the Nerfhx Prize daraser' Each researcher combined two secs 
of data—each of which provided paifMi answers co the question “who does mis 
data describe?"—and discovered that die combined data answered (or neatly 
answered) the question 

fcven though adminisuator had removed any data fields they thought 
might uniquely identify individuals, researchers in each or the three cases 
unlocked identity by discovering pockets oi surprising uniqueness remaining 
in che data. Just as human fingerprints left at i crime scene can uniquely 
identify a single person and hnlc rhac person v'itli “anonymous" informalign, 
so too do data subjects generate “data fmgcrpi tni$ M —combinations of values 
of data shared by nobody else in their table IH 

Of course, researchers have long understood tlie basic inruition behind 
a data hngerpiint; this intuition lay at the heart of endless debates about 
personally uJenrifialile infoimation (Pll). What has startled observers about the 
new lesuits, however, is that researchers have found data fingerprints in non- 
PH data, with much greater ease than most would have predicted It is this 
element of sui prise that has so disrupted the status quo. Sweeney realized die 
surprising uniqueness of'ZIP axles, birth dates, and sex in the U S. jxipulation; 
Barbara and Zeller relied ujX)n the uniqueness of a person’s search queries; 
and Narayanan and Slunacikov unearthed the sutprising uniqueness of the 
set of movies a person had seen and rated These results suggest that maybe 
everything is Pil to one who has access to the right outside infomiation. 
Although many of the derads and formal pi oofs of rliis work are beyond the 
scope of this Article, consider a few aspects of the science that are relevant to 
law and policy. 


a. The Adversary 

Computer scientists model anonymiznnon and ieidencifkation as an adve^ 
sarial game, with anonymization simply an opening move."' They call the 


114 $*e BBN Tech , Amiirynujiuion & DdiJdnitfiLanon, hup l/www hhu.cum/teclmolof'y/hci/ 

securicy/aikjn <last vtaiuxl June 12, 2010) (uk-rrinc lo^rvjces co icmove “‘lin-omrintb’ in the dairt"). 
(15. See Inc Dmur & Kobhi Nismivi, Reivnlin" /n/oniuinon Wluld Ibcvnvni* Pnw try, m PROC. 2 2ND 

ACM SVMR CHS* PlUNCIPLtS 0 VTAIWSL SYS. 202,201 (2<X>3).dt«iMjk at hrrj .//poiTabirrru Wciwrioa 
ef.u'.d=773l73 
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person trying to reidentity the data the “adversary.They seem not to moralize 
ihc adversary, making no assu nptions about whether he or s ic wantf to 
reidentify for good or ill. The defining feature of die advcrsaiy seems to be tnat 
he or she is, no surprise, adveisariai—motivated to do someth ng the data 

administrator wishes not to happen. 

Who are then? potential ad versa uc-. who might have a motive to re-den- 
tify 7 Narayanan and i^hmatikov suggest "stalkers, investigators, not / colleagues, 
employers, or neighbors.” 117 To this list we can add the police, national seen 1 ity 
analysts, advertisers, and anyone else interested m associating individuals 

with data. 


b. Outside l nfoi mation 


Once an adversary finds a unique data fingerprint, he can 1 nk thal data 
to outside information, sometimes called auxiliary information. Many ano¬ 
nymization techniques would i*e perfect, I*" only the adversaty knew nothing 
else about people in the world. In icaLly, of couisc, the world is avvasn m data 
about people, with new databases created every day. Ad versa ics combine 
anonymized data with outside information to pry ouc obscured identities. 

Computer scientists make one appropriately conservative assu nption about 
outside information that regulators should adopt: We cannot predict the type 
and amount of outside informal ion the adversary can access. It is naive to 
assume that the adversary will oc unable to find the pacuctuar piece of data 
needed to unlock anonymized data. 1 " 0 In computer security, this discredited 
attitude is called "security through obscuiity.”* 21 Not only do re identification 
scientists spurn security through obscurity, but they often assume that the 
adversary possesses the exact piece of data—if it exists needed to unlock 

anonymized ideno jes. in order to design responses that protect identity ^' r en 

, , . 122 
in this worst ease. 


I [ 7. Arvind Narayanan & Vitaly Shmatikow Dc-AiioiivnM;mu 6*cw:«U Neittwrt 5. in PltOC. 2009 
30th IEEE SYMP. ON StOJfirn & PRIV ACY 173, 203 (hcicin.iftcr Dc-AnonynM?n\' Social Networks J 
(for a draft version of this article that inc ludes unpublished appendices, see Narayaam & Shmntikov, 
infra note 169). 


118. 

119. 

120 . 
121 . 


See Net/lix Prise Sutdy, supia note 5, at 112 

w. 

SlMSON OARHNKEL CT AL, PRACTICAL UNIX AND iNTtRNIT SEC JRITY 61 (2003) 


{dcacribrnt* ‘Itjhc problem with sccuut- chrouph obscurity") 

122. Cf. Cynebia D«\irk, Offaen'in 1 Prmicx, m At nOMATA, LANGUAGE AND PROGRAMMING, 

13rd 1N1TCOLLOQUIUM PROG PART I■ I, 2 (2C06),m«/l«Mc<u ltftpV/ www ^P rin « cr mk.com/contcnt/ 

383p2lxkl3841688/6 illtcj.t pdf. 
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and a separate tahle rhnc looks like ihi*: 


Table 6: Database Including P1I 


Name 

i--- 

Birtn Date 

Sex 

ZIP 

Code 

Smoker? 

Daniel 

2/1*1/1965 

Male 

02 HI 

Ye c 

F >rcsr 

. 

10/23/1964 

Male 

02 i 38 

Yes 

lie lea 

11 / 7 /;%-, 

Feaie 

02138 

No 

’ 

Hilary 

7/15/1965 

r* i 

rema'e 

02139 

No 

J Kate 

10/27/1965 

Feira Ic 

021.38 

No 

l - 

; Manor 

S/24/1965 | 

Female 

02i33 

Yes 


and she performs an ; oner join on rhe bmh date, sex, and ZIP code columns, she 
would produce this: 


Table 7: Inner Join of Tables 5 and 6 on Birth Daco/ZIP/Se> 


J Name 

Race 

Birth Date 

Sex 

ZIP 

Code 

1- 

Complaint 

| 

Smoker? 

Daniel 

Black 

2/14/1965 

Male 

02141 

Chest pain 

Ye* 

Kate 

Black j 

10/23/1965 

Female 

02138 

* 

r~ 

ct> 

fk 

No 

Marion 

Black 

d/24/1965 

Female 

02138 

Wheeling 

Ye* 

Helen 

Black 

11/7/1964 

-■ -j 

Female 

02138 

--- — .— 1 

Aching joints 

No 

Forest 

White 

10/27/1964 

Male 

02138 

Short of brearh 

Yes 

Hilary 

White 

3/15/! 963 

lx male 

0/139 

Hypertension j 

No 


Notice that with Lhe (v\o joined tables, the sum of the information is 
greater dtan the parts. From the first cable alone, rhe adversary did not know 
that the white male complaining of shortness of brearh was Rarest, nor did he 
know that d\t person was a smoker Fiom die second table alone, the advetsary 
knew nothing ahoui Rnest’s visit to the hospital After rhe inner join, the 
adversary knows all of this 

3. Responding to Objections 

In rhe rest of this Aiade, 1 draw many lessons from rhe three stories 
presented above and use these lessons to call for aggressive regulatory 
responses to the failure of anonymization I anticipate, and in some cases I 
have confronted, several objections to these interpretations and prescriptions 
that deserve responses. 
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a. No Harm, No Foul 

The three stories above < lemonstrate well the povvci of re identification, 
but they do not demonstrate bow re identif 'cation can be used to Ha an people. 
Tlie researches described ace professional journalists or academics and ethical 
piles and good mo r al judgment. limited the haim they caused. But do not be 
misled if the results of these siudies seem bcivgr. In IVr III, 1 snow how the 
techniques used in these stud it.i cm lead to very real harm, by assembling 
chains of inferences, connecting individuals to harmful facts. 

b. Examples of Bad Anonyrntzanon 

Several people have expired the opinion that the thice stoi ics I describe 
highlight only die peril of bod anonymization.These people have argued 
that the Stale of Massachusetts AOL, and Nctflix should have foreseen the vuh 
nerahility of tlieir approaches t<> anonymization. 1 * I have many re sponses. 

First, and most fundamentally, die phrase “had anonymization” is redun¬ 
dant. At lease foi forgct-ai id-release methods, computer scientists have 
documented theoretical limit, about the type of pnvacy that cz n be achieved, 
which I describe below. 07 Although some researchers nave developed new 
techniques dial do better than forget-arid-release anonynnzati in, these tech¬ 
niques have significant limit itions, and * explore both the techniques and 

limitations below. 11,1 

Second, the fact that such sophisticated data handlers were responsible 
for there three data releases belies the idea that these were die mistakes of 
amateurs. Indeed, Nctflix boasted about how it perturbed tbc Nctflix Prize 
data before it released it to protect privacy.' w Likewise, AOL’s <'ata release was 
stewarded by PhDs who seemed aware that they were dealing with sensitive 
information ami approved by uglviank'ng officials. Wrh n:r thigh t it is ea.i/ 
to argue that these breaches were foreseeable—nobody questions anymore 


134 Sec infra Pare III.A (describing“rive database of turn"). 

13") E f Rivaled 1:1 Emam. Her* Thcie Been a Mure of Amnymwttan’, EV CTRONIC HEALTII 
INFORMATION & PRIVACY, Aug IV, 2009, hop.//chipblogsconrv/dvijV^009/C'S/]vaS'fhcrC'bccn a' 
failurc-o(-anonymiz at ion html ("Ohm has taken examples of poorly de-identdied datasets that were 
re-identified and drew found coivcIusk. ru? from tivose ’) 


136. M. 

137. .See infra Tart Ill.B.I 

138. See infra Part III.B.2 and III B.3. 

139 Nctflix Prize: FAQ, sufmn tv »te ("Even if, for example, you knew all y >ur own ratings and 
their date. y<xi probably couldn’t identify them nimbly m the data because onl> a small sample was 
incluJcd (less than noc-umth of our complete dataset) and that data was subject <o perturbation. ) 

140 Zeller, Ji, 5 u/w note 78 
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whether search queries can he used to identify users—hut the past failure of 
foresight by sophisticated data handlers should give us pause about present 
claims of bad anonymization. 

Third, when one considers the mistakes that have been made by sophis¬ 
ticated data handlers, one can begin to imagine the mistakes being made by 
the legions of less-sophisticated data handlers, the thousands of IT professionals 
with no special training in anonymization who are responsible for anonymis¬ 
ing millions of corporate database* Even if we can divide anonymization 
cases into good and bad piles, u i* safe ro assume that die bad toweis over the 
good. 

Finally, even if we could teach every data handler in the world how to 
avoid t!>e mistakes i f the past—a daunting and expensive proposition—our 
new, responsible appieach :o ancnvmizacion would still do nothing to protect 
all of the data anonym :zcd in the past Database owners could reanonymize 
databases they still controlled, but they would not be able to secuie die data 
diey shared or redistiihured in rhe past. 

c.The Problem of Public Release 


It would also Ire a mistake to conclude that the three stories demonstrate 
only the peril of public iclease of anonymized data. Some might argue char 
had the State of Massachusetts, AOL and hlctdix kept then anonymized data to 
themselves, oi at least shaiod the data much less widely, we would not have had 
to woriy about data pi ivacy. 

There is obviously some logic ro this objection. In Part IV, 1 argue that 
regulator* should treat publicly r eleased data differently than privately used 

I HI 

data. 

On the other hand, we should not he si a prised that we learned the 
lessons of re identification only after public releases of data. Reidennfication 
researchers can only rcidencify due which they can access. But other people 
with access to less-public mfoimnnon tmghr he rcidenufying in prh'are, keeping 
the results to themselves. Any time data is shared between rwo private parties, 
we should worry about ihe possibility of reulentiheation 

Moreover, we must not forget that anonymization is also used by compa¬ 
nies as an internal privacy control—to allow Department A to share data 
with Department B without breaching customer privacy H2 Just because data is 
kept wholly widun a company does not put to rest concerns about expectations 


Ml. ( M/ifl Rue IVC t 

M2 Sw >iipui note* 16-17 and accompanx mt* text 
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of privacy. If a company promises, (or example, to share behavioral uata wi»h 
its marketing arm only in anonymized four, we should worry tt at the power 
of easy rcidcntification gives (he company die tools needed to break that 
promise. 

cl The Myth of the Superuser 

Finally, some might objec. that the fact that reiclentihcatt m is possible 
does net necessarily make it likely to happen In particulai, if there are no 
motivated, skilled adversaries, then there is no threat. I am particularly sensi- 
Uve to this objection, because I nave criticized those who try to inlucncc policy 
by exploiting fe<?rs of great power, a tactic that relics on what 1 hav*. ^allcd 
the “Myth of the Superuser/*”' 

The power of identification, however, is not a Myth of he Superuser 
otory for three reasons: First, reidentification techniques are not Superuser tech¬ 
niques. The Netflix study reveals that it is startlingly easy to reidentify people 
in anonymized data.” 4 Although the average computer user cannot perform 
an inner join, most j>coplc who have taken a course in database management 
or worked in IT can probably replicate this reseat eh using a^ast computer 
and widely available suF ware like Microsoft Excel or Access.”' Second, the 
AOL release reminds us about the powei of a small group of b ?red bloggers. 
And thud, there arc great financial motivations pushing people to reidentify. 

Morcovci, 1 did not claim that feats of greaf power never happen online. 
Such a conclusion is provably < use. Instead, I argued that hecat sc it is so easy 
to exaggerate power, we shoukl ho lei those- olfcung stories about o dine power to 
try to influence policy to a high standard of proof.” 7 1 concede th.it my claim of 
^identification power should be held to the high standard ol proof, and 1 
argue that I have met that standard. 


143. Sec generally P.ml Ohm. The Myth of the * Fan , Ride, and Hw n Online, 41 U C 

Davis L Rev 1327 (2008). 

144. Nct/fix Pme Study, .utpra note 5,nt 112 . 

145 The INNER JOIN command is taught in beginner database t?xt.s . cc. c g., 

SHanON, 5 ufircc note 131; TAYLOR ,sul»t note HI, sit 309. WILSON&.CxXPV.5U|im note 131,at 501. 

146 See Salvador Ochoa cl ab, h'eidenoficmion of hJtmluols m Chicot s Hoorn k e Dowbasc. A 
TccKniaii Leg^ Study (unpublished sunk nt paper) (2001). mxiinMc nr hup/M> mil aiu/scm083/wwvv/ 
asdgnraents/rcfctawificatu-n.lvnnl (discu'-sing ftmnc.nl motives pressing people to p identify including 

those affecting marketers and hfockmai crs). 

147 See Ohm, «ipn note 143, at 1402 
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4. The Intuition Gap 

What each of the foicgotng objections highlights is the gap in intuition 
that persists among privaev experts. These privacy experts, primarily lawyers and 
business executives charged with pi o tec ting their companies’ users, dienes, 
and customers, cling to the idea that although anonymization may be weaker 
than we assumed, it has noi failed They may concede the need to change 
privacy policies or invest a hit more heavily m technology and expertise m 
■response to f hc 3tudie> ce^d above, hut they hope the'' need only small tweaks 
like rite so and not overhauls 

In the meantime, 1 predict that comp a to i scientists and talented amateurs 
will continue to release new examples ot powerful reidentTicacion, with 
each annotate me nr shaking those who sr ill cling to fal .e faiths. As have the 
past announcements, these (umie announcements will surprise experts by 
how cheaply .quickly, and ca si l y supposed I y robust anon y m iza t ion will hall. I 
make these predictions confidently, because the power ol icidentification traces 
two curves, both moving upv'ard incessantly the jxnvcr ol computer hardware 
and the richness ot outside mroimation. 

The future of anonymization and re identification thus promises years of 
awkward transition, as the privacy experts on the wrong side of the intuition 
gap weaken and then finely abandon then faith in anonymization. It may 
take years—maybe five, may tie ruo.e—ixdoic most privacy experts accept that 
they should abandon fuich m monynuiation, P.nd these will he years filled 
with dashed hopes and lecalibrared ex{>ec tar ions. The gap will probably take 
longer to close than it lairlv >hould, as companies and other interests vested 
in d\e cheap, easy promises of anonymization will try to convince otheis ro 
persist in their faidt despite the evidence. 

The rest of this A icicle will mostly skip past the coming, painful years of 
transition while die intuition gap closes. Instead, it will plan for what happens 
next, after the intuition gap closes, once we realize that anonymization has 
failed. What does the failure of anonymize non mean foi privacy law? 

H. How the Failure of Anonymization Disrupts 

Privacy Law 


Policymakers cannot simply ignore easy ^identification, because for dec¬ 
ades dicy enacted laws and regulations while laboring under die robust 
anonymization assumption. They must now reexamine every privacy law 
and regulation to see if the easy reidenrification lesult has thwarted their 
original designs. 
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Modem privacy law’s rend i a act prcvenratively, squeezing down the flow 
of particular kinds of information in older to reduce predictable risks of harm. 
In order to squeeze but not cut off valuable tianstcrs of information, legislatots 
have long relied on robust anonymization to deliver the best of both worlds: 
the benefits of information flow and strong assut Alices of privacy. The lailtire 
of anonymization has exposed his reliance is misguided, throwing carefully 
balanced statutes out of equilibrium. 

At the very least, legislators must abandon the ide 1 tha we p,otcct 
privacy when wc do nothing moic than identify and remove PII. "he idea that 
we can smglc out fields of information that are moie linkable to ilcntity than 
others has lost its scientific base and must be abandoned. 


A. The Evolution, of Privacy l aw 

In the past ceniuiy, the regulation of privacy in the Unite J States and 
Europe has evolved from schol.u ly discussion, to limited commoi i law torts, to 
broad statutory schemes. Before deciding how to respond to th: use of easy 
rcidentification, wc must recognize three themes from this histi cy of privacy 
law. First, while puvacy torts ft cus solely or. compensating tnjui cci \ icnms of 
privacy harms, more recent p ivacy statutes shift the focus from post hoc 
redress to problem p evention. Second, this shift has led to the mint for Pll 
through quasi-scicntific exercises in informal ion. catcgorimtion. Thi r d, legis¬ 
latures have tried to inject balance into privacy statutes, often ly relying on 
robust anonymization. 

1. The Privacy Torts: Compensation for Harm 

Most legal scholars point to a celebrated ntneteenth-centu ,y law review 
article by Samuel Warren and Louis Brandos, The R.ghe u, f r ’ -«<0, a.-> the 

wellspring of information priv icy law. In the article, Warren and Brandeis, 
alarmed hy the lise of tabloid journalism, advocated a new right of privacy, 
urging courts to allow plaintiffs to bring new privacy torts. H ° The concept 
of harm—intangible, incorporeal harm to mere feelings, but harm all the 
same—loomed targe in die article. For example, Warren and Brandeis 
describe victims of privacy deprivations as experiencing "mental suffering, 
"mental pain and d stress, far greater than could lie inflicted by mere bodily 


146 Samuel D. \Vwicn& Louis P Brandeis The Kvfit 10 Pmwy, 4 HARV. L MV. 193 (, I890). 

149 Irwin R. Kr.uroT!k Puli nj f’mmv L,m- A Ontury Since Warren ,md f rnnelas, >9 CAT I. 

U.L REV. 70 L 709(1990 

\ 50 Warren & kIcis, jupm n<te 118, M 213 
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injury, and injury ro the feelings.” 13 ' Thar the anchors focused on harm is 

unsurprising because rfu? cncuc article is a call for tt [a]n aciion of tore for damages 
in alt cases. 1,1,3 

Severny yeais later, William Proper synthesized the case law inspired by 
Warren and Brandeis men the foui privacy torts commonly recognized in U.S. 
jurisdictions today: 0) intrusion upon the plaintiff's seclusion or solitude, or 
into hts private affairs, « l) public disclosure of embarrassing private facts 
aixxir rhe plaintiff, <3) publicity that places the plaintiff in a false light in the 
public eye, and (4) appr«Y>uai.on, foi rhe defendant's advantage, of the plaintiff? 
name or likeness. 1 * 1 All foui require acted injury, as do all torts. 153 

2. Shift to Broad Stacutorv Pnvacy: From Harm to Prevention and PI 1 

Cxuuts ttxak rhe lead during the evolution of rhe orivacy torts l3 *' while 
legislatures stayed mostly m the background, doing little more than occa¬ 
sionally codifying privacy torts. Then, alxxit forty years ago, legislatures began 
to move to the forefront of privacy regulation, enacting sweeping new statutory 
privacy protections, l he teiu of computerization motivated diis shift. 

In d\e 1960s, the U.S. government began computerizing recoids about 
its citizens, combining this data into massive database? Tlx.se actions sparked 
gieat privacy concerns. Throughout the decade, commentators described 
threats to pi ivacy fiom computerization and helped defeat several government 
proposab. Spurred by this, in 1973 an advisory committee created by the 
secretary of health, education, and welfare issued a ropoi r that preposed a 
new framework called “Fair Information Principles” (FIPS). 1 ^ The FIPS have 


151. Id w 196 

152. W.iw 197. 

153. M. at 219. 

)Si. WAN Mm L. Pnwwi, Pmru y, *45 C\l L RfcV W (\960). Prosper w.in ah) the icpnrrci foi 
«»c kxxhki Re scaceirteiK ol Tixxa, m which he jUo pivHiuil^.ueu lui four privacy tori.**. RESTATEMENT 
(SECOND) or TOUTS § 65213 (1977) 

155. W. PAGE Kmxss LT Al.., PROSSLR & ^iri OH ON TORTS 5 (5rh eJ. 198-1) (ilcfinir^ ro-ta 
as a body of law which is direcreJ row.uJ the compensation of mJiviJu.il> ... for losses which they 
lun e sullered"). } 

156 Prosser, note 15*1, at >86-89 

157. £ N. Y. ClV. RlOl ITS L UV §§ 5CM1 (McKinney 2007). 

158. Priscilla M Regan, lltrsla .‘ino PimvactTloiinouxa', Social Values and 
Puhuc Policy 82 (1995). 

159. Daniel J. Solove, A 7 n.\onoiiiy oj Pmwy, 15*1 U. Pa. L. Rev. -177, 506-07 & nn 13S-4S 
(2006). 

160 . U.S Dei*T of HtAi;n i. Hour;, & Weli arl, Records, Computers, ano ti il : Rjoi rrs 
OFQ'nzi:N5(i971) 
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been enormously influential, inspiring statutes, 161 law review ai tides,* 62 and 
multiple refinements.* 6 ' 

FIPS require a data protection scheme that provides, among other things, 
notice and const it, xcess, data integrity, enforcement, and remedies, 161 but 
for the present discussion, whai the FIPS say is less important than what the 
FIPS wrought: a very diderent approach to privacy law, one that embraces 
rights of privacy tha 1 . do inoie ban solely ledress past ti.vm Influenced by 
the FIPS, legislatures 1 rave enact* d statutes designed to avoid "‘privacy problems” 


that have nothing to do with the "injury to feelings” at the heart of the 
privacy torts. As Dan Solovc puts it, “These problems arc more structural in 
nature . . They inv )lve less tF : over insult or reputational har n to ?. person 
ard more the creation of the risk that a person might be harmed in h p future.” 

Thus, begin run; in the IS /Cs, Congress began to enact statutes designed 
to reduce the risk, of harm. Congress’s approach for crafting the c laws is best 
described as Linnacan. Aftei first identifying a problem—"a risk that a 
person might be harmed in tbc future” 16 *'—lawmakers try to enumerate and 
categorize types of Information that contribute to the risk. They categorize 


oil a macro level (distinguishing between health information, education infor¬ 


mation, and financial information) and on a micro level (distinguishing between 
names, account numbers, and other specific data fields). Throug i this process, 
they have filled many pages of lLc U S. Code with taxonomies < f information 
types that deserve special treatment because of their unusua tendency to 

i 167 

cause harm.* 

Congress has dms embraced a wholly data-centric approach, the PII 
approach, to protecting privacy This approach assumes that lawmakers can 
evaluate the inherent riskiness of data categories, assessing with mathematical 
precision whctlici or not a pircicular data field contributes to the problem 
enough to be regulated. In do mg so, it tends to ignore messier, human factors 


r 


161 E g., The Privacy Ao of 1974 "require? agencies to follow the Fair Inf >rmation Practice? 
wIkh gathering and liar tiling personal data” Daniel I Solovc & Chris Jay Hnofnaglc, A Model 
Regime of Privacy PivhTfloii, 2006 U. iL 1 L Rtv 557, 361 (citing 5 U S C i 552a(:) (2000)) 

162. E.g , Maic R< tenbeig, Fair Infnnmcum Practice* and the Art hueentre of I Smicy (WIku Larry 
Doesn't Get), 2001 STAN. TECH. L. Rt V. 1, Fanl M S< bwaitz, ftccm/mon and Pn >acy, 118 YALE L.J 
902,906-22 pt. I (2<X)9). 

163. ORGAN I SAT ION FOR ECONOMIC COOPERATION 6i DEV., OECD G .HOLUNES ON THE 

Protection of Privacy and trans«orper Rows of Personal data .2001), available at 

htrpV/www.iihoh.org/occd-privacy-pci orwI-data.rDF, Federal Tratio (..offlimssK n, Fan fufonndtfon 
Practice Pvrncipfcs, hitp.//wv^ftc.gov/r'.ports/pnvacy3/fatrinfo shttu (last visited June 12, 2010). 

164. Federal Tradt Commission, supra note 163. 

165. Solovc. fupra note 159, at 487-88. 

166 Id. 

167. See infra note? 203-207 (gi‘ mg examples oi statutes that list c«v egone* of information). 
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rhat should also factor into a usk assessment, such as ihe likelihood that 
someone will be motivated enough to care about* a particular damsel. Ic * 

It is ncceisaiy, howcvci, to distinguish between two very different 
legislative motivations tor .singling out categories of information The easy ien 
clenciftCcUion result calls into question only the .second of these motivations. 
First, some statutes restnci .sensitive mfoimacion, the kind of information that 
causes fully realized harm when disclosed. 1 ** For example, rhe Drivers Privacy 
Piocccnon Act (DPPA) angles out “highly restricted personal information,” 
mcl-Kling sensitive clones !Ac 'photograph” and “medical ci .usability 
inioi mac ion. Jcasy reidenciacaoon Las not disrupted the logic of provisions 
Eke this one. Even chough robust anonymization has failed, it srill makes 

sense to treat .specially those kinds of information that can he used directly to 
cause harm. 

In contrast, lawmakers ofren single out categories of data tor special 
treatment under the mist iken belief that these categories (and only these) 
increase the iinkabilicy of anonymized data. Fur instance, the DPPA singles 
c>ut a second category of personal information, including linkable dara fields 
like social .security numbei and dnvci identification number, ft)r special, bur 
less lestrienve, treatment. The law implicitly assumes that this list includes 
every data held chat can link database records to identity—but easy ren 
dentification proves oduawise. When Legislators focus on linkahility and 
klentif lability in tms way, they enshrine lelcasc'anddorger, do identification, 
Plhremoval ipnioaches to anonymization mro law Tlus approach to legislation 
makes little sense in light of rhe advances in easy ^identification. 


3. How Legislatures H ive Used Anonymization to Balance lot 


ctesLS 


Writing about the privacy coirs, Wdlmm Prosser said char “fi)n determining 
where to draw the line the courts have been invited to exercise nodting less 
than a powei of censorship over whar the public may he permitted to read.” 17 ' 
So too is cveiy piivacy staiute an “exercise [in] the power of censorship.' 1 ' 71 
These laws lestiict the free flow oi information. This should give lawmakers 


168 . See in/ni F*art IV B {du>cu^m« motive) 

169 Arvmd Nara>an.m 6c Vitah Slmut ikov, Dc-Arumynuzing Social Networks, http J/user web Ci 
iiroxas alii/-}4im.if/shm.ii_iKik09 ptlf, ., PP . B (Ur ns.rcJ Juno 12, 2010) (noting that Mime law, single 
tKtr uifonnanon ih.tr £ WK is sensitive," while mlvi-* seek to pretenr “deductive disclosure”). This 
^^'T'^Eiho.ljviilKnu appendices Sec De-Auomfimring Noon/ NeneorJcj, supra note 11?. 

171. U. " * ^ H)U °° U) 

172 Piossei, iu/ira noie 154, .u 413 

173 M. 
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great pause. The free flow of infbi matron fuels the modem econotrv , nourishes 
our hunger for knowledge, shines a light on the inner workings of powerful 
institutions and oq^amrations, and rcpicscnts an exercise of libert*,' 1 Before 
enacting any privacy law, lawmakers should weigh the benefits o unfettered 
information flow against its costs and must calibrate new laws to impose 
burdens only when they outvveigl» the harms die laws help avoid. 

But for the past forty year % legisiatois have deployed a perfect, silver 
bullet solution—anonymization —that has absolved them of i <c need to 


engage in overt balarcing. Anonymization liberated lawmakers by letting 
them gloss ever the measuring and weighing of countervailing values like 
security, innovation, and the fre ' flow of information. Regardless, of whether 
those countervailing values weighed heavily, moderately, or hard . at alk they 
would always outweigh the minimized risk to privacy of sharing anonymized 


data, which lawmakers bcUcvcc to be almost nil thanks to anonymization. 
The demise of robust anonymization wiil throw the statute,, legislatures have 
written out of halnnce, and lawmakers will need to find a new way to regain 


balance lost. 

Consider how legislatures m two jurisdictions have died upon 
anonymization to bring suppos'd balance to privacy law: the U.S. s ilcaitn 
Insurance Portability and Accountability Act (HIPAA) and th^ 3 Data 
Protection Directive. 


a. How HIPAA Used Anonymization to Balance Health Pi ivacy 

In 1996, the US. Congress enacted the Hcaidi Insurance Portability 
and Accountability Act (HIPAA), hoping lo improve heaithcaie and health 
insurance in this country. 17 ' Among the other things it accomplishes, HIPAA 
is a significant privacy law. T r tle 11 of die Act mandates compliance with 
health privacy regulations, whi< h have been promulgated by tku Dcpaitmcnt 


174. See Kent V/alloT, Where Evi.yhody Know Tour Name: A Pragmatic Leak at the Onset vf 
Privacy and (he Reneffc of hiformation Ext hang c, 2000 STAN TtCI I. L. RtV. 2, 7-21 enunr.c rating the 
benefits of shared information) 

175 Tub. L. No. LOI-191, 110 Stai 1936 (1996) According to the preamh c to the Act, the 
purpose of HIPAA iv 

To amend the Internal Revenue Code of l%6 to improve pra lability and eontinmry of health 
insurance covcra^je in the group and individual maikets to combat waste, frai J, and abuse 
m health insurance ard health care delivery, to promote the use of medical savu igs accounts, 
ro improve neecs~. to long-term care service,*- and tmci.igq, to simplify the administration of 
health triMirnncc, anJ for ocher purposes 
Id 
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of Health and Human Services (HHS) and are now known as the HI PA A 
Privacy Rule. 170 

In nvny ways, the HIPAA Privacy Rule represents chc high-water mark 
tor use ot Pti to balance privacy usks again ;r valuable uses of in format ion. 177 
HIP A A demonstrates Congress's early sensitivity to the power of reidenufica- 
tion, through its treatment ot what it calls the “de-identification of health 
information" (DHI). 17 " HIPAA irsell exempts data protected by L)HI from 
cuiy regulation whatsoever*' hue defines DHI so as to allow for further regulatory 
tmciprelation—and HHb has used tins SLacucoiy mandate to define Dlil as 
information that does not identify an individual* nor provide “a reasonable 
basis to laebeve chat rhe information can lx j used to identify an individual.” 1 * 3 

HHS s Privacy Rule ebhoiates ihis ’'ague reasonability standard timber 
in two alternate weya. Firsr, undci the so-called ‘statistical scandai d,” data ;s 
DHI if a scar-ician or other “(Vison with appropriate knowledge... and 
experience” fonnally determines char the data is not individually identifiable. 1 * 
Second, data is DHI under rhe so-called “safe harbor scandaaT if the covered 
entity supposes or generalizes eighteen enumerated identifiers. 1,0 The Privacv 
Rule’s list i*> seemingly exhaustive—perhaps the longest such list in any pri¬ 
vacy iemulation in rhe world. Owing to the release of Dr. Sweeney’s study 
around the same time, rhe Piivacv Rule requires the lesearcher to generalize 
birth dates to years 14,1 ami ZIP codes to then initial three diyics. 1 * 

Congii bS and HHS concluded simply that by making data unidentifiable, 
healdi professionals could tiade sensitive information without impinging on 
patient privacy. Moreovei, they fm:e these conclusions in amber, enumerating 
a single, static list, one they concluded would protect privacy in all health 
privacy contexts. 1 * 5 In promulgating the Privacy Rule, regulators relied on their 


176 id § 264 (directing the iocreiuiy of Hiafdi and Human Scivico to submit standards for 
protecting privacy), HIPAA Privacy Rule, 45 C F 1C 160, 164 (2009) 

177 Jay CJine, Prwitcy XhiUo \• Wlten U Personal Dam Truly De-Identified 7 , COMIHJTERWORLO, 
July 24, 2009 lurp://\pvw.compur«..w m Id a*tn/>/art„ k.+)I 356°8/Pii^icy_in,irrc^„\Vhen_u_|x*r i <):'iaL 
data_i w ly_de_jdct ittiiai ( Mo oilier counu ) hb developed a more u^oious w derailed pm dance for 
Ixnv to convert: pcrsaiul data coveted b) puvaev icpuiauoib mto non-peisoiul data."). HIPAA b not 

mo* recent information privmy law cn.u ret'm rhe U.S. See, u.g , Gramm Leach-BMey Act of 
B>99, Pub. L. No 106-102, (codified ;n 15 U.S C ^ (>801-6809 (2006)), Children** Online Privacy 
Protection Act of 1998, Pub. L. No 106-170, (codified 15 U.S C §§ 6501-6506 (2006)). 

178. See 43 Cf R i64 502(d)(2), 164 514(a). (b) (2009) 

W 

U § I ft4.5144a). 
hi § 164514(b)(1) 

Id § 164.514(b)(2) 
id § 164.514(b)(2)tC). 

W. ^ 164.514(b)(2)(B) (allowingonly run Jijjit** lot ZIP emits wm h 20,000 or fewer rcMvienrs) 
Since promulgating tlie wlc b.ubor lisi ••Inline a decode a^o, FIHS bus never amended it 
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faith in the power of anonymization a.-- a si and-in for a meaningful cost- 
benefit balancing. This is an opi’ortunity lose, because it is bard :o imagine 
privacy problem with su< h staikly piescntccl benefits and costs. On 
one hand, free exchange of information among medical researche .s can help 
tliem develop treatments to ease human suffering and save lives. O i the other 
hand, medical secrets .ire among the most sensitive we hold. It wukl nave 
been quite instructive 10 see regui .uns explicitly weigh such ttatk (Itciccs. 

By enumerating eighteen identifiers, the privacy Rule assumes that any 
other information ihat might be contained m a health record can tot be used 
to retdentify. We now understat'd the flaw in this reasoning, ant we should 
consiJet revising the Privpcv Rul us a -esuk 

b How the EU Dan Protec non Directive Used Anonymization 
to Balance internet Puvacy 

EU lawmakers have also reli rd upon the powet of anonymization to avoid 
difficult balancing questions. Unlike the American approach with H1PAA, 
however, the EU enacted a broad industry-spanning law,' 1 ' the Dali. Protection 
Directive, which pur,x)rts to covet any "personal data” held by any data 
administrator Data is person.,I data if it can he used to identify someone 
“directly or indirectly, in partici h.i ty reference to an identification number 
or to one or more factors specific to his physical, physiological, i rental, eco¬ 
nomic, cultural or social identity.” 

The EU never intended the Directive to apply to all data. Instead, it 
meant for “personal oata" to exclude at lean some data—'lata that was not 
"directly or indirectly” identifiable, such as anonymized data—from regulation. 
Like their U.S. counterparts, tU lawmakers imagined they ecu Id strike a 
balance through ibe power of technology. If anonymization worked, data 
administrators could freely share information so long .is data subj :cts were r.o 
longer “directly or indirectly” identifiable. With this provision, El J lawmakers 
sought to preserve space in society for the storage and transfer of anonym Led 
data, thereby providing room for unencumbered innovation and free expression. 


186. See m/m Part 1V.D.I. , » 

187. T1k Oitectivc obligates EU cnuiuncs to rr.uv.poic us rules into domesue law within a 

set time frame. Eur GWn Justice it Hrane Allan*. Tramposmon of the Dim IV wnw »»««»*. 
http'7/ec .cnmT>a.cu/)us! icc_lomc/fs|/priv ,cy/l.wrc|xut/imicx_cn him (list visited J me U, Ztl I. 

188 EU Dura Prxeci ion Directive mi |»fl note l, .in. 2(;i). 

189 Id 
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Whether and to whvir extent the Directive letnins such a preserve has been 
debared in the internet privacy context. 90 For several years, dac EU has clashed 
wid'i companies like Ooogle, Yahoo, and Microsoft over what they must do to 
protect databases that track what rheii useis do online. 1 * 1 Much ol this debate 
has turned on what companies must do with stored IP addresses. An IP address 
Is a numeric identifier assigned to every computer on die internet. 1 ' 2 Just as a 
MX*ia! seem icy nunibei identifies a person, an IP addiess identifies a computer, 
so an IP address can tie online conduct to location and identity Fvcry 
computer rewals us ip addicts to even other compucei it contacu./ 9 ' 1 so every 
tmvc l visit Google, my computer lc veals its IP address to a Google computer/ 95 
Following longstanding industry practice, Google records uiy IP address along 
with derails about wii.it 1 am doing when using Google’s services m 

Ooogle has aigucd to the EU that u protects die privacy ol its use.* using 
anonymization, by throwing away pare, not all, of every IP address. 197 Specific 
caHy, an IP address is composed of four equal pieces called octets, 19 and Google 
stores the first three octets and deletes the iast, claiming chat this practice 
protects user pnvac> M-ilficientlv. 1 " Google's competitors, Microsoft and Yahoo, 
aie much mme thine nigh, throwing away enure IP addresses. 2 * 1 

At its core, this too u a deflate alxnii balance—between the wonderful 
innovations Google promises it can Jelivci by studying out behavio^ 01 and the 


^ C,L '» l * & • Hcdcnck Lah, Nou* \<c IP Adhesse'- "Pe\saiuilly UPnrifndAe /n/oimrrrfoti ft ‘ 4 US’ 
J.L & fOL’Y IViR INIO SOO'Y fsS I ' 200K) 

I Ol. E.g i Posting of S.imI HansclI. Gwop c V<mr IP Addiess H PeiMnuiI, N Y. TlMCS BITS BLlXi, 
luqiVAncs Mi*s.nycime>a»-w‘X\X5A)l/22/ctm^our-!|v.Klk*.s»-i^|XTM»iuii (fan 22, 2008). 

102. fXXAJLASODMLK, I f NTLUNETWORKING WITH TCP/IP 42 (5ih cd 2006) 

103. Id At *H—14 

104. Id .u 45-36 
405. Id. 

1%. SfMSON OAK I INIvLL 6i C h.SSL SrACRMO, \VlB SECURITY, P»UV*\0 . \ND OllMMfcRiLH 211 
( 2002 ). 

107. 


107. Letter Fiom Gouyiv ro Oongic.v>m:m W Rut m I M) (i21, 2007), maduble at 
iutpV/scai d tc.ncl.iiiC t«'iu/pjL/071222 -Lh urn pdf 

408. Ojmlr, note 192, ac 53 

409. Lccrci Ti.imOoo^k u> Coni;ie.s\ninn Joe Barron, supra nore I>>7, ,tr 14-15. 

200. QJuuit/ral Atkvwstr ; Wi.un PraakVdntJ Consumers' EvpeLutrunu, Hearings Before i! e H 

Cumin on Emrg\ aiklCuimunce, Sukmnm on Cuimirnnainoiis, Ta/iiwi/t*** .md the Internet cuvi Subcomm 
on Commerce, Tnde andCunmmei JWvfnm. II hh Cony 1 (2000) (jiaicmcnc ol Anne Tech, Head 
fri\(k.y, Tihtx) Inc.), fosonyol fctei L ullen, Chief ) nwicy Srnitc^isr at Mtcr.isnft, Mk rusofi Privacy 
&. S&cy, \4iavsuf( .Sh/i/joik Sttong InJmov Search Data AnoiiNmijrunjn Standards, MICROSOFT IXIVaCY 
AND SANITY Bux.;, hupy/blijp IlcIukc aim/prIv.icyim|via t ive/archive/2008/12£)8/micni.soli'$iipporiS' 
stujn^Hviumy-dc■aidv-daca-an*>i lymn.n ioi v^raidarJa supx (Dee. 8,200S) 

204. In 2006, ro r»y in placare rhu»v woitieJ alvnir privacy, Cooyle anchored a sei ie> of blog 
“alvuK how Jrhey] hai ne*» the data [rheyj collect ro impiovc (rheirj pn duces anj services for [rheii) 
Uiors” Posting of Matt Curts, Software Cngnuer, Using Dura tu Fight Wcbspcim , Tl 1C OFFICIAL 
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possible harm to users whose IP iddresses arc known or revealed. , Vgam, claims 
that wc should trust robust anonymization stand in for nuancod careful cost- 
benefit balancing arguments. Google promises wc can have our cake while it 
eats it too—by placing our tmsi m data anonymization. 

8. How the Fa dun' of Anonymization Disrupts Privacy Law 


In addition to H1PAA a id the EU Data Protection Directive, almost 
every single privacy statute and regulation 202 evei written in ;he U.S. and 
the EU embraces*— implicitly or explicitly, pervasively or only incidentally—the 
assumption dirt anonymization protects privacy, most often by < xtending safe 
harbors from penalt' to those who anonymize their data. At ihc very least, 
regulators must leexarune every single privacy law and regulation. Tlie toss 
of robust anonymization reveals die lurking .rebalance in these privacy laws, 
sometimes shifting in favor o protecting privacy too much aid sometimes 
fa voting the dou of uifoimatioo too much 


Easy rcidcnufication makes F'H-focuscd laws like H1PAA ut dcrprotcctivc 
by exposing the arbitrariness of their intricate categorization anc line drawing. 
Although HIPAA treats eighteen categories of information as especially 
identifying, 01 it excludes from this list data about patient visits--like hospital 
name, diagnosis, year of visit, patient’s age, and die fust thre* digits ot ZIP 


code—that an adversary with rich outside information can use to defeat 
anonymity. 

Many other laws follow the same catcgori:ation-an<-line-drawing 
approach. The Driver’s Privacy Protection Act requires special handling for 
[personal information” including, among other things, “social security num¬ 
ber, driver identi icat km lumber, name, address..., (and] telephone 
number, ’ w while requiring much less protection of “die 5-digi zip cude” and 
information on vehicular accidcntr, diiving violations, and driver’s status.” 205 


Similarly, the Federal Education Rights and Privacy Act (FERPA) singles out 
fer protection “directory' infoinvtion,” including, among other things, “name, 


v 


GOOGLE Blog, httfK//gopgkblojt'.idn£vpotamV2006/0b/miny-dfita-rn-fiylH'web}i sun him! (lunc 27, 
2006, 4*5 1 EST) (linking to earlier pons in ihc SCI ICS ) 

202 In tlus Article, I focus on stalutes and rcpihliot^ for several reasons First, these mles provide 
a concrete set of textr> nbo it which I can mike com>jx>ndindy concrete observations. Second. American 
and European appro iches ro privjicy legislation differ somewhat, providing a a imperative study Third, 
"hen it comes to dictucng how mfor nation is collected, analyzed, and disclosed in modem life, no 
other source of law has t’ ic influence <> r privacy statutes and regulations 

203 45CF.P §§ 164.502(d)(2), 164.514(a), (b) (2009). 

204 (8U.SC $ ; 725(3) (2000 

205 U 
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address, telephone listing, date and place of birth, [and] major field of study." 1 * 
Federal Drug Administration regulations permit the disclosure of ‘‘records 
about an individual” associated with clinical trials “[wjhere the names and 
other idem living inionnacion are first deleted ” 207 These are only a few of many 
laws that draw lines and make distinctions based on the link ability of infotma- 
rion. When viewed m light of the easy reidentification result, these provisions, 
like HIPAA, seem mbiinuy and underproceciive. 

In contrast, easy ^identification makes laws like the EU Data Protection 
Directive oveibroad—ip tact, essentially boundless. Because the Direcnve 
rums on whcchei information is “directly or mJiiectly'’ linked to a person,** 
each .successful re identification of a sujspo.se Jly anonymized database extends 
ri\e regulation to coxier that database. As reidentificatu n science advances, it 
expands the E T J D’motive kke an 'deal gas to fit the *hape of its container. A 
law that was meant co have lames :s rendered limitless, disrupting the careful 
legislative balance between privacy and information and extending data- 
handling requirements to ail data m all Mtuations. 

Notice char the way the easy leidenrificaiKm result disrupts die Directive 
is the mmroi image of die way it impacts HIPAA. Easy reidentification makes 
die protections of HIPAA illusory and tinderinchisive because it deregulates die 
handling of types of data that can still be used to rcidcnnfy and harm. On 
die other hand, easy reidentification makes laws like the EU Data Protection 
Dtrecnve boundless and overbro«id. We should tolerate neither result because 
bodi fail to achieve die balance that was onginally at the heart of both types 
of laws. 

Most puvaev laws match one of these two forms. Even the few that do 
not fit neatly into one category or the other often contain terms that are made 
indeterminate and unpredictable by easy reidentification. As one example, 
die Stored Communications Act in the U.S. applies to “iccord[s] or othei 
information pertaining to a subscriber., or customer,” without specifying 
what degree of idennfiabihry makes a lecoid “pertain.”*'* As reidentification 
science advances, conus wall struggle to decide whethei anonymized records 
fail within flits defuiinon. 1 he vagueness of provisions like dais will invice costly 
litigation and may result m irrational distinctions berween jurisdictions and 
between laws. 


206. 20 USC § 12J2g(u)(5)(A) (2006) 

207 21 CF.R. 2l.70(a)(3)(i) (2009) 

208. EU Dura Proreenon Diicimv, wi/jui not «.• 5, ,ht. 2(:i) 
209 18 USC § 2702(c) (2006) 
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C The End of HI 


1. Quitting the PII Whack-a-Molc Game 


At the very least, we miN abandon the pci vastvcly held i lea that we 

can protect pi i vac// hv simply icmovng personal!} identifiable *nformation 
(PII). Tills is now a discredited ipptoach. Even if we continue tc follow it in 
marginal, social case.-, we must; bait i new' course in general. 

The trouble is that PU is tn ever-expanding category. Ten years ago, 
almost nobodv would have categerzeJ movie ratings and search queries as 
PU, and as a result, n i law or regulation did either. 110 Today, foi r ycats after 
computer scientists exposed the powci oi these categories ot data to identify, 
no law or regulation yet treats them as PII. 

Maybe four years has no been enough time to give regulators the 
chance tc react. After all, HIP AAV Privacy Ruie, which took ef ect tn 2003, 
does incorporate Or. Sweeney’s research, conducted in the mid 1990s. It 
expressly recognizes the identifying power of ZIP axle, birth date, and oex, 
and carves out special ticatmcnt for those who delete oi modify them, along 
with fifteen othci categories of informal ion . 2U Should this be i lie model of 
future privacy law reform—whenever rcidetuihcatton science finds f ields of data 
with identifying power, should we update our regulations to er compass the 
new fields? No. This would miss the point entirely. 

HIPAAV approach to privacy is like the carnival whack-?-mole game: 
As soon as you whack one mole, another will pop right up. No matter how 
effectively regulators follow the latest rcidcntihcation research, Hiding newly 
identified data fields into new laws and regulations, researchers will always find 
more data field types they haw not yet covered/ 11 The list of potential PII 
will never aton growi ig until it includes every thing.' 11 

Consider another rcidcntificatiou study by Narayanan and ' Jhmatikov/' 
The researchers have rcidcntific I anonymized users ol an online s< cial network 
based almost solely on the stripped-down graph of connccti ?ns between 


210. The ViJeo Pnv wry Protection Acr, enacted in 1988, protects list*, of mo»ies watched no r 
because they are PU, bit ho ausc they arc sanitise IS U.$ C. § 2710 (2006). For mo c on the distinct 
lion, see wpra Part II.A 2. 

211 . See supra Part I. ill .h ( describing Sweeney's research). 

212. 45 CF.RJ§ 161502(d)(2),)64.5(4(a)-(h) (2009). 

213. Sec Nanvyai van ( i Shmntikov, mpra note 169 (“While some data elements may be uniquely 
tdcrttifY*UR on their own, u ty element can lx' identifying tn combination with other "). 

214. Of. id.; Dimir Ntssim, su{ >a note (IS, at 202 (“[T]hcrc usually cxb“ other means of 
tdentifying patients, v a indirectly idcnti ymg attributes .stored tn the database ") 

215. See Narayanan -Sr Shmattkov, stt£m note 169. 
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people By comparing tire structure of this graph to the nonarumymizeJ 

graph of a different social network, they could reklencify many people even 

ignoring almost all usernames, activity information, photos, and every other 
single piece or identifying information.'' 17 

To pro -e the power of the method, the researchers obtained and ano¬ 
nym,zee, the entire Twitter social graph, reducing it to nameless, idenruy-fice 
mines representing people connected to other nodes representing Twitter’s 
follow relationships Next, they compared this mo.tly deidenuhed husk 
of a graph, to public data harvested horn the Flickr photo-sharing soc.al- 
netwer site As it hapj sic, tens oi thousands of Twitter users aic also 
t-Uckr users, and the researchers used similarities in the structures of Flickr’s 
contact ’ graph and Twitter’s “follow’’ graph to re.dentify many of the 
anonymized Tw.ttc. user .do,nu«es Vfr ah this technique, they could rcdentify 
K usernames or full names or one-third of the people who subscribed to both 
Twitter and Flickr.' Given this rose!-, stvoulc! we add dcidenaficd busks of 

!OC,al "piking Staph? a catego.y of information that is almost certainly 
unregulated under U S law yet shared quite ofcen 7 *-to die HIPAA foivacv 
Rule list and to the fsts ,n otlie, PI I-focused laws and regulations? Of course not. 
Instead lawmakers and regulars should reevaluate any law or regulation 
lat draws distinctions based solely on whether particular data types can be 
ipfcec. to identity, and should avoid die king new laws or rules gioundcd in 
such a distmctKin This is an admittedly disn.ptlve piescnption. PH has long 

i C C ri Uei ° f masS amunJ v ' hich data privacy debate has 
<x iced, but although disuiptive, this pioposal is also necessaiy. Too often, 

t e only thing thar gives us comfort alx.ua cuirent data practices is tliat an 

administrate, has gone through the motions of identify,ng and deleting PII— 

and in such cases, we deserve no comfort at all. Rather, from now on we 

need a new organizing principle, one that refuses to play the PII whick-a- 

mole game. Anonymization has become “piivacy rh«atei”;“ it should no 

f 1L, f U1 jjijw ran tees v">f privacy. 

216 See Dd-Anonv}ji(>/i,q Sucnil NetwrjiU, >u /»<* nor*. I! 7, m IS2-^5 

21”. H at U14 

1 SO‘JLi W | T " ,mlie rh °, rhc ‘ l ^' :lr<hcr ' <ir » r h:i ‘l «> W- then tiara b y .denufyuv. 

ISO ptqde who «c menol foil, T«,ccu and Fl.clu They ar«ue lluu ,t would not lx- very j2uk 

lorun jibvisury to find this much iniomi.ir.on, :uiJ ility cxpl.un luw they cm ue "opix.icun.aic M l,., 
toroJucc the amount otxoed data needed Id u 1S|-«S oppuftmanc aedmy. 

219. Id 

220. Id ;,t 17-1-73 (lurveym.’ example, ol hou .reial-nctwork data ,.shared). 

«;;« £.7 *’ U “' ,M ■" 2 ,»*,»«, 

»s *- 7s ua ’- 1 »• 
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2. Abandoning "A nonymize” and "Deidentify” 

Wc must also correct the ihooi c we use *n information privacy debates. 
We arc using the vtohr terms, z nd wc need to stop. We must abolish the word 
anonymize; 22 * let us simply strike it fiom our debates. A word that should 
mean, "try to achieve anonymity” is too often understood lo irean “achieve 
anonymity/ among technologists and non technologists alike We . ieeo ? 
word that conjut :s el tort, not a.:hiev< moot. 

Latanya Sweeney has smulaily argued against using form,, of the word 
"anonymous” when they are not literally true. 221 Dr. Sweeney msi ead uses “deb 
dentify ’ in her research. As she dehne. it, M {i]n dcidcntified da a, ail explie**. 
identifiers, such is SSN, name, address, and telephone number, are removed, 
generalized, or replaced with a r ia<Je-up alternative. ’ Owing to aer influence, 
the HIPAA Privacy Rule explicitly refers to he “tie-identifies tio i of protected 
health information 1,226 

A ithough “dcid endf/ ’ cart ics 1c-s connotativc baggage than anon ym izc, 
which might make it less likely o confuse, I still find it confusing. Dcidentify 
describes relcase-and-forget anonymization, the kind called seriously into 
question by advances in reidcntific itior. r eseaich. Despite this, many neat 
claims of deidentificr.rion as p onuses of ;o^ustne^':/ 2, whtb* in crJity. people 
can detdentify robustly or wcaldy.* 2b Whenever a person uses die unmodified 
word “deidenufieu, 1 wc should demand details and elaboration. 

Better yet, wc iced a nev word f«x pi ivacy-motivated data manipulation 
that connotes only effort, not success. I propose “scmb. Unlik: anonymize 
or ‘‘de identify,” i< conjures only effort One can scrub a little, a let, not enough, 


223. A»xmyroiw: H \ relatively yuun<» word. The Oxford English Die nonary traces the first u e c 
-if the v,,rd “aiicnyir izixT to 1972 iySr A bn Man., llv* UA i .irlbineniary Omi adsman. OXPOPD 
English DICTIONAII Y ( A Jditions Sene? 199/) n now lav before Parliament.. the I ill but nnonymised 
texts of... reports on individual eases ”1 According to rhe OED, the usage of the «mJ us “chiefly for 

statistical purposes." Id. , . „ ,. 

224. Latanya Sweeney. Weaving Tci/mofoc? <mci Policy Tether to Maintain Cm/idcntwlity. «.:> J l- 

MED. & ETHICS 98, 100 f 1997) (“The term iinoiiymous implies that the data cannot he manipulated 
or linked to identify an individual.”) 

225 Id. 

226 45 C.hR § M 514(a) (20 *9) (defining icim) 

227. Sec. c.r., bifra Tart 1V-D 2.a Idiscussuig Google s weak abroach (o nnor ynuzation of search 
engine 1c>g files and lum ihe company rearv these practices as robust). 

228. For similar realms, l do ix>t i -commend replacing “anonymize” with rhe p iraliel con^mcrion 
“pseudonym izc.” Set Christopher Sop wian. The Problem of Anonymous Vanity Stages, 3 l/b-J.L. **. 
rOL’Y TOR INFO SOC'Y 299, 300 (2(07) {“In an effort to protect user pnvac\ the records were 
‘pseudonymized’ hy replacing each individual customers account I.D. anj compiler network address 
with unique random numbers."). Just as "anonymize” fads to acknowledge overs,hie scrubbing, 
“pseudonym izc" fail* lo c red it lobust st rubbing 
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or coo much, and when we hear the word, we are not predisposed toward any 
one choice tiom the list. Even bectci, technologists have been using the word 
scrub foi many years " In tao, Dr Sweeney herself has created a system she 
calls Sciuh for "locating and leplaong personally-identifying information in 
medical records ”' w 


III Half Measures and False Starts 


Focusmg on i Lungs otner man PH a disruptive and necessary first seep, 
txic ic is not enough alone to restore the balance between privacy and utility 
that we once enjoyed How do we hx the dozens, perhaps hundreds, of laws 
and regulations char we once believed ;efleered a finely calibrated balance, 
bur in reality recced on a fundamental inisuntlcisianding of lienee 7 Before 
turning Parc IV, to a new test toi restoring the balance lost, !ec us hrsc 
consider thiee sdue’oas char are less disruptive ro the status quo but are unfor¬ 
tunately also less likely to iencore the balance. Legislators must undeistand why 
these three solutions—which they w41 be tempted to rreat as the only 
necessary responses—are not neatly enough, even in combination, to restore 
balance to privacy law. 

First, lawmakers might he tempted to abandon the preventative move of 
die past forty years, taking the failuie of anonymization as a signal to return - 
to a regime that jusr compensates harm Even il such a solution involves an 
aggressive expansion of harm compensation—with new laws defining new 
types of harms and increasing resources for enforcement—this is a half 
measure, a necessary but not sufficient solution. Second, lawmakers might be 
encomapcd to wait foi rhe technologists to save us. Unfortunately, although 
tedtnologist s will de vd<>p letter pi i vacy- pi < irecrion techniques, they will run 
up against important theoretical limits. Nothing they devise will share the 
single-bullet universal power once promised by anonymization, and thus any 
technical solutions they offer must be backed by regulatory approaches. 
Finally, some vwil tecum mend doing hole more than banning reidentificaiion. 
Such a ban will almost certainly fail 


229. S«?c\ eg, Jcrcnn KuL, Yn/iuo to Soul* PiimjiuiJ Delta A/rei TAiee Mont/ur, IDG NliWS 

StUVlCL, Dec. 17, 2008, i«vnLi/»L at hup //www pewudd Ci mi/. i rric le/1 55610/y,i lioo_rn_.\cn ih_pej mmi.iL 
<Lr.i_a<TeL_ri’irec_iiionrhs hrml (uyomng Yahoo* \ decision ro “anonymize” its databases of tcnjinve 
information ninety dayt> aftei collection); Tommy Pc re r sun, Dora Snubbing, COMPUTOllWORLO, 
fWi 10, 2003, hrtp //www compua iwt n LI coiiVacut m/artide*lo’command* viewArticleBusiC'Si.arucleld« 
78230 

2)0. Laemya Sweeney, P&vtntilh'UlsmjMng Infutmamm in Medial/ getorrh, the Scrub 

Sywm, m I l »6 1. AM. Mm INI OR M A TICS ASS'N PRCV 3 33. 



f 




1746 


57 UCLA Law Review 1701 (2010) 


A. Strictly Punish Those Who Hmm 

If rcidentification mokes it easier for malevolent actors like identity thieves, 
blackmailers, and unscrupulous advertisers to cause harm, perhaps we need, 
to step up enforcement of preexisting laws prohibiting idenity thefc, 
extoi tion” 2 and unfair matketm x practices. 2 " Anything we do to deter those 
who harm and provide remedies foi those harmed is, in light of the incie&seu 
power of reidentifitati m, imperative But this is merely a necessi ty response, 

not a sufficient one. 

full retreat to a toit-bascd privacy regime, *hich would «-bander, the 
forty-year prevent itivc tum in p»ivac> law, would he a grave mistake, because 
without regulation, me easy reidciitiiiociuofi result will spark c frightening 
and unprecedented wave of pir acy harm by increasing access to what I cali 
die “database of ruin. ’ The database of nun exists only in potential: It is the 
worldwide collection of pU of the facts held by thud parties that can be used 
to cause privacy-related harm to 1 boost c'cry member of society. I asy access to 
the database of ruin flows from v*h«ii l call the acciction problem. 


i 

A < 


The Accretion Problem 


The accretion problem ts this. Once m adversary has lint ed two ano¬ 
nymized databases together, he (an add the newly linked data to I as collection 
of outside information and use it to help unlock other anonymized databases. 
Success breeds further success. Narayanan and Shmattkov expla.n that once 
any piece of data ha) been Uni ed to a person’s real identity, ary association 
between this data and a virtual identity bicaks the anonymity of the latter. 
This is why we should worry e'-en about re identification events that seem to 
excise only non,sensitive information, because they increase tlv: hnkabdily of 

data, and thereby ex|x.we people to potential future harm. 

Because of toe accretion pioblcm, cvcrv re identification event, no matter 
how seemingly benign, brings people closer to harm. Recall th it Narayanan 
and Shmatikov linked two IMDb users to records in the Neeflix f rize database 
To some online observers, mis connection seemed nonthn a ten mg and 
trivial*'' because they did not a.te if others knew what movies they had rented. 


Z.M. E.r.. I8US.C. § 1028 <200 C);Cal PtNAlConeS 5305 (l99 n );MAR. GfcN. Laws eh. 

66 , § 37E (2002); N.Y. Pi NAL LAW §5 190 77-190.84 (2010). 

2 JZ. £.»., 18 U.S.C. § 872 (20061 (proM'Uinu extortion by federal pov mmr nt ofhaals). 

233. E.g., 15 Uii.C § 45 (2006) 1FTC ptovision regulating unfair compctiti >n/, U*\L. bus. ca 

fcOF.OODESS 17200-2 in <2008). 

2^4 Nctflix Pn<e Sii r h, w{jra note 5, at U9 . 

235 Eg, Comment <rt chcf-clc to Neill,x Pt,:c Knum, lut r //«tvw.ncillucpret com/comtmmrty/ 
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These people failed to see how connecting IMDb dara co Necflix data is a 
stop on die path to significant haun. Had Naiayanan and Shmatikov not been 
rescricrcci by academic ethical standards (not to mention moral compunction), 
they might have connected people ro harm themselves 

The researchers could have created the connections they made between 
IMOb usernames and Neillix Fuze dara a< rhe middle links in chains of 
inferences spreading in two direction 1 .: one toward living, breathing people 
and the other toward harmful tacts Foi example, they could have tied the 
list of movies rated m me Netfiix Prize database co a list cl movies rated by 
useis on Facebook x suspect that the fingerprint-hkc uniqueness of Nccflix 
movie preferences would hold for Facehook movie preferences as well. 236 

Th^y could ha<'e also easily extended the chain in the other direction by 
making one reasonable assumption* Pcoole tend to reuse usernames at 
different websites. 23 * User john_doe20 on IMDb ts likely 10 be john_doe20 
on many ocher websites as well/ 13 Relying on this assumption, the researchers 
could have linked each living, breathing person revealed ihrough Facebook, 
through d\c Nccflix p nze data, rhrougb IMDb username, to a pseudonymous 
user at another website. They might have done this with noble intentions. 
Perhaps they coukl have unearthed the identity of the person who had savagely 
harassed people on a message boa id 2W May lx: they could have determined who 
had helped {dan an attack on a computer system on a 4cban message board. 240 
But they'also could have revealed identities to evil ends. Perhaps they could 
have tied identities to the pseudonymous people chatting on a child abuse 
victims support website, in nrdei to blackmail, frame, 01 embarrass them. 


viewcopicip?»d**809 (Nov. 28, 2007, 09:04:54) (“I think you can find out more nix ut a pcison by 
typiruj rheir tuiinc* into Oon^L’, rhi* Netllt\ d.wvt eisc-orujioeeriny iIocmiV seem to hi* a higher threat 
than fhar.”), (xMimcnr ot'junmyjor to The Physic* .uXiv Ulotf, hrcp://arxivb!t>g.conVfp®M2, (Feh. !7, 
2006) ( 1.1 k ncc of niovios also d»>e> nor ro!I a u hole lor 1 ) See also various comments ro the posting 
Anonymity afNciflix Pure Daraxt iWten, SLA^MOOT, lutp-/At.sl;vshJuc.or^/article.pl?Mj-07/n/2?/ C ' 
n34244&fuxn a r& (Nov. 27, 2007) 

2If Of coui.se, v\ en with, me the Nerflis d.*\. release, Narayanan ant* Shmankov mu*hr have 
Ixxni able connect: some tvaird* in the IMDb dacaha*c directly to Facehook reconls. But recall rluit 
for many users, the Nccflix data contain* movie* not rated in IMDb. 1 am assuming tluu for sotne of 
the people who use ail three services, no duecr mnnecuon between IMDb and Facvhnnk i; possible. 
Thunks to Jane Yakowitz foi this point 

237. Aivmd Nurayarmi, LnJb^difb coin A J \>' A»inny » uyiticn i 33 BITS CX ENTROPY 

Bl.Ot», kitcp7/33hits.orji/-iX)8 /1 \ ([2/51 (Nov. 12, 2008} (“Many people use a umt|ue username 
everywhere .. **), De-AnimyniiVn^.ViCfej/ NVnunLs, \ufna note 117, at 6-7 (relying on fact that users 
reml ro reuse username* on differenr social nervvoiks). 


238. See Narayanan, supnt nun 237. 

239. Danielle Keats Citron, Cy/vi-Cu*// fluj/its, 89 B U. L. Rlv 61, 71-75 (2009) (<ji*cus*iiii> 
harassing comment* on the AuroAdivur mremer dv-cusMon Kurd). 

240. Muuarhius Schuuirz, T/ie Trolls Aiming (A, N.Y. TIMES MaG , Auy. 2008, ar MM24 
(describing 4chan). 
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Imagine a large-scale attack on t ie pseudonyms used on the social networking 
site Experience Project, which tries to connect users to people who have had 
similar life cxpcrionois. 2 ^ It the researchers had access to othc , hardcr-to- 
obtain, outside information, the; r could have caused even greater harm. With 
access to Google's search query log hie, they might have learned rhe diseases 
reople had been recently looking cp/ u By connecting the IMTh usernames 
to Facebook biographies, they might Iv.vr been abie to hyp is? password 
recovery mechanism 1 ) foi then victims' online email and bank accounts, 
allowing diem to steal private communications or embezde money, just as 
somebody b r okc into oarah Palii s email account by guessing that she h<d met 
her husband at “Wasdla high." 5 ’ 1 Other possible mischief is eas' to imagine 
when one considers databases that track criminal histories, nx payments, 
bankruptcies, sensitive health secrets like HIV status and mental health 
diagnoses, and more. 


L The Database o( Ruin 


Itjs as if rcidcr.tification md tlic accretion problem join the data from 
all of the database in the wot id together into one, giaiu, clau.ba e-m-thc-sky, 
an irresistible target f< > r the nvde «'o!cni Regulators should cm*e ah i;it the threat 
of harm from reideni ification because this database-ia-the-sky o >ntains infor¬ 


mation about ail of us. 

Almost cvciy person in the developed world can b n linked 10 at least one 

fact in a computet database tha, an adversary could use for blackmail, disenmt- 

nation, harassment, or financial or identity theft. I mean mere than mcic 

embarrassment or inconvenience; 1 mean legally cognizable har n. Perhaps it 

is a fact about past conduct, health, or family shame. For almost every one of 

us, then, we can assume a hypothetical database of ruin, ‘he one containing 

this fact but until now splinteicd across dozens of databases on computers 

around the world, and thus di; connected from our identity* Rt identification 

has formed the database of rum and given our worst enemies acc ess to it. 

- » 


241. Experience Project, About ' k http //\nv\v.cxpcricnccprojcct ccm/aboi it.php (last visited 

July 5.2010). , . . 

242. See b\fra Part IV.D 2.b (disc' ssmg tlic ri4 to privacy from access to sew M oucry logs). 

243. See Posting of Sam 0 us tin, Alleged Pc dm Email HocUt Explains PORI POUO.COM TECH 
OBSERVER DlOO, hi tp //.vww.portfolu • com/vu*\v^/lilog-./thc'tech-obscivcr/2008/0 tyld/alicgcd-paltrv 
cirmil-hackcr-cxplains (Sept. 18, 2008) 
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3. Entropy: Measuring Inchoate Harm 


But even regulators who worry about rhe database of ruin will probably 
find it hard rocarc about the re identification of people to nor.sensitive facts 
like movie ratings. Until there is completed harm—until the database of 
rum is accessed—they will think there is no need to regulate. One way to 
understand rhe flaw m this is Through the concept of enr r opy. 2H 

In thermodynamics, entropy measuies d c order in a system; in information 
rheoiy, it uack* the amount of tnfbtmarion needed ro describe possible 
outcomes/ 4 ' Sim daily, in rc identification science, entropy measures how close 
an adversary is to connecting a given fact to a given individual. 2 * It describes 
the length of the inference chains heading in opposite directions, quantifying the 
iemaimog uncercain*y. 

Con^ider entropy m the children’s game, Twenty Questions.At the 
stare of a game, die Answerer thinks of a subject die Questioner must 
discover thtough yes or no questions. Before any questions have been asked, 
entropy sirs at its maximum because the Answerer can be thinking of any subject 
in die world. Wid\ each question, entropy decreases, as each answer eliminates 
possibilities. The item is a vegetable; it is smaller than a breadbox; it is not 
green. The Questioner is like d've reidencifier, connecting outside information 
to the anonymized database, reducing eotropic uncertainty about the identity 
of his target 

Entropy formalizes five accretion problem. Wc should worry about rei- 
dentification attacks that fa I! short of connecting anonymized data to actual 
identities, and we should worry about re identification attacks that do not reveal 
sensitive information. Even learning a little benign information about a 
supposedly anonymized taige*. reduces enrrapv and bungs an evil adversary 
closer to his prey. 

Consider one more extended metaphor, which Part IV builds upon to 
illustrate a prescription Imagine each person alive stands on one side of a 
long hallway specifically dedicated jihi for him or hti. At the othei end of 
the hallway sits that person’s ruinous fact, the secret their adversary could use 
to cause them great harm. In the hallway between the peison and the ruinous 


244. AmnJ Narayanan, A l\na 33 Bin, 3 \ Bl I S Of- EN‘ 1‘KOI'Y Bl.Ou, hrtp.//33hiK.orj»/ahouc (Scpr 
28, 200S) (explaining fho concept of cm ropy) 

245. The concept unjjin.ueJ with a icmmal paper hy Claude Shannon Sea C.E Shannon, A 
\Wu.'m<ma4 Ttaonr ofCoiimumictinoM, 27 BL’LL SY5. Tl< 'H. J. 379 (1948) 

246 Narayanan, lupin note 244. 

247 I am nxlehreJ to Anna Karum toi rhe analogy. 

248 Sea m/ia Barr IV A 
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fact, imagine a long series of c!os< d, locked doors, each lock requiring a different 
key, which represent the database fields that must lie reconnected or the links 
in the inferential chain that mi st be established to connect the icrson to the 
fact. Finally, imagine many othei pet pie clutching keys to some of the doors, 
bach person repiesetits a database owner, and the keys the person holds 
represent the inferences the [>er on can make, using the data the’ 1 own. 

Under the curnnt, now d scicditcd Pll approach to privacy regulation, 
we tend to hold database ovnc s—the people in the middle of t ic hailway- 
accountable for protecting privacy only if the} happen to hold one of two 
a ideal keys. First, if they hold the key chat unlocks the first door, the one 
closest to the data subject, we regulate them This is the iiukaiility form ot 
PH. 240 Second, if they hold the key that unlocks the last door, the one closest 
to the ruinous fact, we also rcgu'atc them l his is the sensu ivity lotm of Pll. 
But under our current approach, w<; tend to immunize all of the database 
owners whose kc/s unlock oniy cioors in the trwddic of tnc hallway. 


4. The Need to Regulate Before Completed Harm 

If we fail to regulate icidcnufication that has not yee ripened into harm, 
then adversaries can nudge ea< h of us ever closer to the hi ink < >f connection 
to our personal database of ruin. It will take some time before most people 
become precariously compromised, and whether it will take months, years, 
oi decades it difficult to predict Because some people have men* to hide than 

others, the burden of decreasing enuopy will not lx distributed equally across 

. _ iv 
society. 

Once we are finally connected to our databases of rum, we will be unable 
to unring the bell. As soon as Narayanan and Shmatikov lied an IMDh 
username to NeTIi.x rental data, they created an inferential linl in the chain, 
and no regulator can break that link. Anybody who wants tc can replicate 
their result by downloading the Netflix Prize data 25fc and mining the IMDb 


249. See .wpia note. 169-171 an< accompanying teu (c.\pl;uning difference between sensitive 
and linkable forms o( PH) 

250. See id. 

251. There arc two classes of pee ole who may escape this fate altogether: th we v'ith no secrets 
and those 90 disconnected from the grid llvu databases hold few records about thci 1 —including many 
residents of lcsscr-clc\'elop:xl countries, n our tw n advanced socicry, I tend to belie' - tKv the numbers 
of pcoj4o in these gro ips anc so small thai they arc hkc inyihs—rhe unicorns and rncrrr aids of information 
privacy. Ultimately, ihe sl'C of tliesc groups is a difficult empirical question, but one ths t * not particularly 
important. I think most icopic would .igrcc that large majorities in advanced «k‘h tics arc susceptible 
to rcidcntification harms, making prtvn< y regulation an important question for huge p«rts of the world. 

252. Since the coir petition is no u over, ihe d.u,i o nr' longer publicly iv,nl,ih 0 , hut it has already 
been downloaded hundreds of times l'k’tjh\ Pure Study, <u(* it note 5, at 119 
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user ratings database. Narayanan and Shmacikov have forever reduced the 
privacy of r he people whose information chey connected. The FBI cannot easily 
order connected databases unconnected, nor can chey confiscate every lasr 
copy of a particularly harmful database 

!t we worry about rhe entire population being dragged irreversibly to die 
bank of hai»n, ue musr regulate in advance because hoping to regulate after 
the fact is the same as not regulating at al 1 So long as our identity is separated 
from die database of uun by a high degree of entropy, we can rest easy. But as 
data is connected to data, ..ad as edveuaues whittle down cnaopy, every one 
of us will soon be thrust to the brink oi turn. 

B. Wait for Technology to Save Us 

Regulators may wonder wherher live technologists will save us first. If we 
view parallel advances in ic idem ificar ion and anonymization as an arms iace, 
even though the re identifiers luv'e raced ahead for now, {perhaps the anonym iz- 
ers will regain the advantage through some future breakthrough. Maybe such a 
breakthrough will even restore the status quo and shift the privacy laws back, 
into balance. 

We should not expect a majoi breakthrough lor release-and'forger ano¬ 
nymization , because ccnriputei "scientists have proved theoietical limits of the 
power of such techniques. The utility and piivacy of data are linked, and so 
long as data is useful, even m the slightest, then it is also potentially re iden¬ 
tifiable. Mm eover, (or many leading reJease-and-forgec techniques, the tradeoff 
is not proportional: As the utility ot data increases even a little, the privacy 
plummets. 

We might, howevei, enjoy some help from new technology, although we 
shook! not expect a breakthrough. Computer scientists have devised techniques 
that are much more resistant to re identification than re lea se-and-forget. Data 
administrators may use some of these techniques—interactive techniques, 
aggieg-Uion, access controls, and audit nails—to share their data with a 
reduced risk of teidentifkation. Alas, de.spire the promise of these techniques, 
they cannot match the sweeping privacy promises chat once were made- 
regarding release-and-forget anonymization. The improved techniques tend 
to be much slower, more complex, and more expensive than simple anonymb 
zation. Woise, these techniques are u^eles* for many types of data analysis 
problems. Technological advances like these imy provide some relief in a 
post-anonymi m cion, post-PI 1 world, hut they can nevei replace the need for 
a regulatory response. 
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1. Why Not to Expect a Major Breakthrough 

Computer scientists have begun to com lude that in the arm; race between 
release-and-fo r g<:t anonymization and rcidcntification, the reidenttfiers hold 

the permanent upper hand. 

a.Utility and Privacy: Two Coneept* at ^ar 


25 ) 


Utility and privacy are, a 1 bottom, two goals at war with one another. 

In order to be useful, anonyiuzed data must he imperfect!anonymous. 
"[PJesfcci privacy can be achieved by pubbsbmg nodi lug at all—but this has 
no utility; perfect utility can oc obtained by publishing the cata exactly as 
received from the n soondenu, but * his uffcis no privacy.’ No matter wnat 
the data administrate! docs 10 anonymize the data, an adversary with the 
right outside information can use the data’s residual utility to reveal other 
information. Thus, at least for useful databases, perfect anonym dot ion is impos¬ 
sible. 1 ” Theorists call this the impossibility result. I% There s always some 
piece of outside information that could be combined with anonymized data 

to reveal private in ormation about an individual 

Cynthia Dwoik offers proof of the impossibility result/ 56 Although useful 
data can never beVerieerfy pr.vate, it is important to understand the practical 
limits of this result: 2 ” some kinds of ihcoietical privacy hreac i may concern 
policymakers very little. To i ve Park's example, if a database owner releases 
an aggregate statistic listing the average heights oi women i \ the world by 
national origin, an adversary who happens to know drat his target is picciscly 
two inches shorter than the i verage Lithuanian woman may !< am a private 
fact by studying the database. w Although we would propeily say that the 
utility of the anonymized dam revealed a private fact when combined with 
outside information, 1 *' we would b- foo'haidy to regulate or forbid the release 
of databases containing aggregated height data to avoid this possibility. In 




Z53 Shuchl Chn’vla ct nl, Toward Pmocy n Fuhl.lL Dukdwcv in 2 TIIEO CRYPTOGRAPH! 

Gone, k>3 <200>). 

254 Id. nt 364. 

255 thunk, sufmi uoic 122 . at ( 

257. Dinuc Ntf-im, supra not- | ( 5 . ;u 201 t shaving. lev a pirticular mock . “tight impossibility 
results," meaning that privacy would iconic 'totally ruining the database usabtli V )• 

258 Dwirk, Siifjr i note 122. 

Z59. Id. 

260 Id 

261. Id 
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this case, rhe richness of Lhe outside information creates almost all of the privacy 
breach, and che statistic itself contributes very lictle. 

Although the impossibility result should inform regulation, it does not 
mmslate direcrly into a prescription It does not lead, for example, to the 
conclusion that all anonymization techniques are fatally flawed, hut instead, as 
Cynthia Dwork purs, u to a new approach to formulating pnvacy’s goals."* 0 * She 
calls her preferred goal “differential privacy” and ties it to so-called interactive 
techniques Differential pi 1 vacy and 1 nt eraccr *• * rcchn iques are d iscussed bclow. 

hThe Inverse and Imbalanced Relationship 


Other theoretical wo'ic suggests thac re 1 ease-and - forge t anonymization 
technique.', are particufedv ill- c uited for protecting privacy while presenting 
the utility of data. Profess Shnvacikov, one of the Netfhx Prize researchers, 
coauthored a study with just in Buckell that offers some depressing insights 
aboiii the tradeoffs between utility and pnvacy for such techniques. As the 
researchers |xic it, “even uvxlest privacy gains require almost complete destruc¬ 
tion of the data-mming utility."* 0 

The researchers compared several widely used anonymization techniques 
to a form of anonymization so extreme no data administrator would ever use 
tv a completely wiped database with absolutely no inform, icon beyond the single 
field of information undci .study** 11 —fot a health study perhaps the diagnoses, 
foi an education study the grade point avenges, and for a labor study the 
salaries. We would hope char real-world anonymization would compare very 
favorably to such an extreme method of anonymization, of course supplying 
worse privacy, bur m exchange preserving much betcer utility.*' 6 ' Although 
the full details are beyond the scope of this Article, consider the intuition 
revealed in the following gsaph: 


262. JJ 

263. Buckril & Slminkov, no re 48 ,.u ?0, 76 

264 U ar 70-71 

265. See id 
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ROUKE 1: Effects on Privacy and Utility of Anonymization"* 


Looming the Sensitive Attribute (Marini Dataset) 




HAiuc 1 n 

O * hi. 







fisMutiulhin Method and ’ammeter 


In Figure 1, the pairs of bars represent tbe same daiahas* transformed 
into many different f >rms using widespread anonymization techniques. For each 
pair, the left, black bar represents the prnacy of die data, wita smaller bats 
signifying more Privacy. The ;.ght, giay bars represent the utility of the data, 
with lo'tgcr bars meaning more utility. Anonymization techniques search tor 
ways to shorten the left bar without sho.tening the right bar too much and 
die holy grail of anonymization would he a short, black bar rext to a long, 
gray bar Even a quick sem of die graph reveals the absence of this 

condition. , 

The leftmost pair of bars, with a privacy score of almost < aghtccn and. 

utility score of about eleven, represents the original, unadulterated data. A 

score of zero represents the utility or privacy of completely wiped data. Notice 

how the first three paiis of bars, the ones labeled with the le ter k, describe 

techniques that preserve a let of ui ility while improving privacy very itt c. 


266. This figmv has been njaptei firm. a feie .n rj. at 76 Only .Ik formamr g has been changed; 

tlvcsubstanceoftin figure remainstlv same. , . ^ r or 

268. Tlwsc bars rq *c$cnt teehn*,uc5 that achieve tamonynuty. a ’viuelv cm n 

anonymity. M. at 71; S’vccncy, supra note 8 (defining Unoinmii^). 
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Although the second trio of bars, those labeled with the lercer l, 2 ^ show much 
greater improvements in privacy than the first trio, such improvements come 
only at great losses to utility 

These results show that foi traditional, widespread, release-and-forget 
anonymization, not only a.e privacy and utility related, bur their relationship 
is skev'ed. Small incieases in utility are matched by even bigger decreases in 
privacy, and small incieas.es in privacy cause huge decreases in utility. The 
researchers concluded thai even the most sophisticated anonymization tech¬ 
niques were scarceb 1 ettci rhan simply throwing aw«»v almost all of rhe data 


insteati 


Thus, using traditional, release-; ind-forget, Pll-focused anonymization 
techniques, any data that is even minutely useful can ne'er he perfectly anony¬ 
mous, and small gams in utility r e$ult in greater losses for privacy. Both of 
these relationships cut against faith in anonymization and in favor of othei 
forms of regulation 

2. The Prospect of Something Bettei Titan Release-and-Forget 

Researchers have developed a few techniques dial protect privacy much 
better than the cradtcional, release and-forget techniques. These work fay 
iefaxing either the release or the forget requirement. For example, soine data 
adminiscracois never release raw data, releasing only aggregated statistics instead. 
Every day, USA Today summarizes a survey in a colorful graph on their front 
page. Armed only with these survey responses, it would he very difficult for a 
re identifier to prove that any particular person took part in a USA Today 
survey, much less gave a pamculai i espouse. 

Similarly, some reseaicheis favor interactive techniques i,L> With these 
**chi aeiues, dte data administrator answers questions about the data without 
ever releasing the underlying data. For example, an analyst might ask, what 
percentage of the people in your daraha>c have been diagnosed with this rare 
icmv of cancer? This might prompt die administrator to calculate ant! ns teal 
the answer—say, 2 percent. Jn most cases, reidentifiers will find it much more 
difficult to link answers like these to identity than if they had access to the 
underlying law data. 


269. These bars represent Wavs suy, aruulici widely .idopicd metric The final six hor^ repicscnt 
t-clo'&new. Bnckcll <St Shmatikov, M//ira nore *|8, :it 70-7 I 
2 70. Oynchui Dw\ »rk ec al, Gi/i/wdim!» None u Sawtdviiy m lYituw A an Annfab, in 2 OCX) Tl IEORY 

OvYiTtX'iR.AiMiy Coni . 265,267 
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Researchers can do even be ter Using one class of interactive techniques, 
those that satisfy a requirement called differential privacy, ’ the data admin- 
tstrator never ever, releases the accurate statistic; instead, she introduces a 
carefully calculated amount of random noise to the answer, ensuring 
mathematically that even d.e most sophisticated reidentifier will not he able 
to use the answer to unearth mfoimr.tior. about the people in die database. 

Finally, just as these techrtqucs refer m something less than hill release, 
other techniques refuse to forget—instead, they monitor wha happens to 
data after release. Borrowing horn compute, securin' rcscarcn these tech¬ 
niques involve the use of access controls and audu in«k Using tnese 
techniques, data administrator, release tlieir data hut only aftet prr meeting it 
using software that limits access and track* usage. The data analyst who 
receives the protect-d data wdl he able to interact with it only in limited 
ways, and the analyst’s every move will be recorded m the a tdit nail and 
reported back to the data administrator o... third-party watchdog. 

3. Tire Limitations of the Improved Tcclimqu 

Unfortunately, these alternative., do nor make up to, live br *cr. Promises 
of release-anJ-forgc. anonym:; ation For starters, they term to ;e less Hexib e 
than traditional anonymization Interactive techniques require constant partici¬ 
pation from the data adr.ur.iscntor. This increases the cost c t analysis and 
reduces the rate of new anal, ms. Because an analyst must submit requests 
and wait for responses, he is not free to simply test theory-after theory attic 
maximum rate. Even worse, w. rhout access to the raw data, he m ght tms usefu 
research inquiries that reveal t lemselves to those who study trends m the data. 

furthermore, even wit! interactive techniques and aggregation, data 
administrators cannot promise perfect privacy. As an example, if an adversarv 
somehow knows chat h.s target is the only man who visited a hospi a. elm c 
Thursday afternoon, then tn.; aggregated answer to the question, tugn 
of men who visited the clime Thursday afternoon reveals sensitive inf - 
mation tied direct.y to an identity. As another example, despite decadesi of 
denials from the Census Bureau, scholars have unearthed pi oof hat 
agency provided aggregated, city-block-levcl data that helped locate Japmac 
Americans who were then sci it to internment camps during u < ^ ccon 


271. 

272 


See Dwnik, sufrro note 122, tu 8-9. 

See Ad’im U Wortniann 5«pi <x note 60, at 


5^0 (describing the * output-perturbation 
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War. 274 Even though the data did nor identify particular houses or families, 
just telling authorities how many Japan ?sc lived on each block gave them 
enough information to do enormous haim. 

Interactive techniques that introduce noise are also ol limited usefulness 
For example, a city may want to analyze census data lo determine where ro 
run a bus line to serve elderly lesidents Noise introduced ro piovide privacy 
may inadvertently produce the wrong answer lo this question.’ 75 Similarly, 
Lev enfoi cement daca miners may find unacceptable to tell a judge that 
chey arc using a “noisy” technique to justify asking for a search warrant, to 
search a home. 270 Techniques cha: sausf', d'ffcrcnna! privacy also requue 
complex ca leu lac ions chat can he costly to perform."" 

Finally, computer &ecu.ity re.>eatchets have thoroughly documented the 
problem with creating tobusr access controU.’ 7 Simply put, even the besL com- 
jxiter security solutions are bug-prone, as well as being expensive ro create 
and deploy . 2, '* All of riiese reasons explain wiw die vast majority of daca 
shared or stored today *s protected—il at all—by traditional, releasc-and- 
forget anonymization not bv these more exotic, more cumbersome, and moic 
expensive alternatives. 

Even if computer scientists tomorrow develop a groundbreaking 
technique due secures data much mom roixistly chan anything done today— 
and this is a very unlikely “if"—the new technique will only wo>4 on-data 
secured in die future; it will do nothing to {wxxect data that has been scored or 
disclosed in die past. A database, once released, can become easier ro re identify 
hut nevei more difficult. Long chains inferences from past reidentification 
cannot be broken with tomorrow’s advances. 

Techniques that eschew release-and-forget may improve ovoi nine, but 
Ixxzausc of inherent limitation: like those doscril'icd above, they will never supply 


274. WiHiain Sekrei &. Mat go Anderson, Populmnn AsMicianon of Americ , Afcei Pearl H.tiboi. 

Tlw Pioper Role ^‘Population Dar.i Sy^:. tm in Turn* ol Wai (Mar. 2S, 2000) (unpublished paper), 
rtuiibWe (U baps//panchc.fiL*.awtn .. Mt/nc. part pdf 

275. See (Jhawla ec at., noic 253, at 360 

276. Tl\e thfficitlcy of iisiny **noisy" rechiv.iues m jx lice w ork in dlusri.reJ b« a iccenr AP stmy 
documents one insr.mcc where the addition of'VarvJom uuronal" to a Jaralsa^c resulted in repeated 

utuwcessary police deployments. Cops Ctimpure* Glm/i Let/ ro Wrong AiLkvu, MSNBC NEWS, Mar 
19, 2010, hitpy/www.»nsiiho.msn coni/iJ/15950710 

277. Jon Klembery er at, Auditing Boo/emt Atiiibiues, in 2000 ACM SYMP. ON PRINCIPLES 
DATABASE SYS 86 (provmy tint pamcuU mtrluvj Mippoiting iworaenve technique is NPhaid, meaning 
amiputat 101 tally expo ns * vc) 

278 BltUClf SCHNLIER. BEYOND K’All* THINKING SENSIBLY ABOUT SECURITY IN AN 
UNCERTAIN WORLD 87-101 (200 5) 

279. Id ; t f Frederick P Brooks, ju, Ti il Mvi i iical Man-Monthi (1975) (discussing how 

sole ware engineering principles lead to buys) 
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a silver-bullet altematt 'e. Techro Jogy cannot save the day, arid reg> ilation must 
play a role. 

C. Baa Rc kicn ti f ic d tion 

Finally, some have urged s mpb Fanning rc identification. Lawmakers 
can offer a straighifoiward argument for a Fan: By anonymizing data, a uata 
administrator gives notice of he indent u> protect the privacy of \er data sub¬ 
jects, who may rely on this notice when consenting to provide her their data. 
A reidentifying adversary thwai cs this iruent and undermines th.s consent so 
much that vve might iced a law banning die act itself 

A rcidentification ban is sure to fail, however, because it is 'mpossiblc to 
enforce. How do you detect an net of re identification?*’ Reiden location can 
happen completely in tine shadows. Imagine that Amazon.com anonymizes 
its customer purchase database and nansmirs :t to a marketing f rm. Imagine 
farther that although the matkcting .irm piomises not to reiden 1 ify people in 
Amazon’s database, it could increase profits significantly bydo ng so. If the 
marketing firm breaks its promise and rcidcntifics, how wil Amazon or 
anybody else evo know? The maikcung firm can conduct the rciocndiicat.cn 
in secret, and gains in revenue may not be detectable to the ven ior. 

This problem appears insurmountable, abhough four forces might help to 
ameliorate it. First, lawmakers might pair a ban with stiictcr penal ics and better 
enforcement, for example by declaring rcidcntification a felony and providing 
extra money to the FBI and FTC for enforcement. Second, 1 twmakets can 
give citizens a private right ol action against those who rcider ufy. Thirc , 
lawmakers can mat .date software audit trails for those who ujs anonymized 
data.'* 5 Finally, a smaller scale ban, one imposed only on tmstt d recipients of 
specific databases—for example, a ban piohibitmg government data-miners 
from reidentifymg—may be much easier to enforce. 


260 End lane, A Question of Meiurty Gmif>uicr-[S axel Pmfximlmg of 'Annnywnto Heoih R^cor ' 
fVm/xs Calls for Tifhtcr Security. NtVSPAY. Nos 21, 2000. at OS (»l«oting Jaril.m Goldman, head 
of ,1 k Health Privacy Project at Gcorgrt >wn Oraveisiry as saying: "Our goal has be tv to ger a nationa 

policy making it tlicrapul to rc-identify imanoui inizcd database’)■ . . 

281. Id. (“As long as the Aua re ipicnt is discreet, no agency may never lea n if its inform. 

is being compromised" (citing Larany i Ssvccnet)). 

282 They cm ms Jcl this on .1 c Federal Stored Communications A^AvInch provides a c.v.l 

cause of action to any "terson aggriev'd by any violation of the Act. 16 U b C I Z 707 (2006). 

283. E.g . 45 CF.R. § I64.308(ti)(l)(u)(0) (2009) (describing H1PAA Security Rule mandating 

"Information system activity review" mcluclmi: tegular review of “audit Mo”). . 

284. Rw another t sample, .see a fro Tact IV.D I (discing the Iran on teide. .nf.catnm for trusted 

recipients of health info nv«uton). 
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I predict thnt any at these marginal improvements would still he 
outweighed by the inherent difficulty of detecting secret reidentification for 
private gain This significant detection problem makes a ban extremely unlikely 
to succeed. 

IV. Restoring Balance to Privacy Law after the Failure 

OF ANONYMIZATION 


Once icguiaiui conclude tlw bit rhuc painal solutions discussed above 
aie not enough to restore balance co privacy law after the failure of 
anonymization, they must do more. The\ should weigh the benefits of unfet¬ 
tered information flow against the coses of privacy harms. They should 
incorporate Jsk assessment .uiategie.s that deni with the reality of easy 
rcidendficafton a* the old PH model never could Ultimately, they should 
consider a *eues of factors to identify situations in which harm Is likeiy and 
whcdicr it outweighs the benefits of unfettered information flow. When they 
identify harm that outweighs these benefits, they should regulate, focusing on 
narrow contexts and specific sectors mchei than trying to regulate broadly 
across industries. To d enumerate how this approach works, this Part ends 
with two case studies recommending new strategies for regulating die privacy 
of liea i rh and i ate met usage i nf< >r mat t on 

t 

A. Which Database Ownei ^ Should We Regulate Anew/ 

In die search for a new organizing principle to supplement HI, 1 start 
from die premise that any privacy uile w^ devise uuis r distinguish between 
different types of database owners and different rypes of databases. This 
approach might sound like Pil, hut it is broader. The problem is not that the 
PH approach categorizes; the problem is that it focuses on only a few, narrowly 
drawn categories dint seem insufficient and even somewhat arbitrary in light 
of easy re identification. Recall die hah way metaphor: PI I-hascd rules regulate 
only those people with a key to the rirsc door closest co the data subject 
(those that can link co a user’s identity) or a key to the last door closest to the 
miaous fact (those holding sensitive information). 21 * 1 For example, HIPAA 
singles out foi special treatment social security numbeis (linkable data) and 
medical diagnoses (sensitive data). P1I rules ignore the people who can unlock 
doors only in the middle. 


285 Kcv text accompanying snfna notes* 2^8-250 
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The power of ^identification demands that we begin to r ’gulate the 
middle. But how? If. would be logically justifiable but overly aj.grcs$ivc to 
regulate any entit" possessing any fragment of data at any point along the 
chain of inferences, covering even a person holding only one key. We should 
aim to direct scarce regulatory r •sources at those database owneis that most 
contribute to the risk of the database of r uin through well-tuned r lies. A nue 
that regulates the database owner m the middle that possesses bur a naglc 
scrap of unimpourmt data puts n o much regulatory focus on too slight a risk. 

Which database owners it. the middle most contribute tc the t’.sk o 
harm and thereto most deservr government scrutiny and regulation? To 
the current PH-anproach—regulation kr these holding linkable data anc 
those holding sensitive data—; proposewe add at kasr one m ue category 
of database owners, the “large entropy reducers." 2 * Large entr ipy reducers 
arc endties that amass massive databases containing so many links between 
so many disparate ki vis of «nfc motion thai they represent a significant part 
of the database o( rui a, even if i hey delete from their databases a 1 particularly 

sensitive and directly linkable i ifornvition. 

We can justify ti eating tbee entities differently using the lar guage of duty 

and fault. Because Luge entropy radu' ers se»ve a? one-stop shops lot adversaries 
crying to link people ;o ruinous I acts, they owe thci r data subjects a heightened 
duty of care. When a large entr opy reducer loses control of ins massive database, 
it causes much more harm than an entity holding much le^s date. 

Who are large entiopy isducer?? In the hallway metaphor, they are 
the people clutching many ke/s; imagine the mythical janitor? keyring, jan¬ 
gling with dozens of inherent kt ys. In practice, this category inclu les large credit 
agencies like Expeuan, TransUnion, and Equifax; commercial data brokers 
like ChoiccPoin t, Acxiom, and LexisNexts; and internet search providers like 
Google, Microsoft, and Yahoa. These arc among the most important large 
entropy reducers, but there are many others, and we should develop a more 
precise definition of the categ > 17 , perhaps one taking advantage of the formal 

definition of cncropy. 


286. In addition to large entropy reduces other t Uses ofdatakt.se m-n® p nkiWy deserve new 
regulation to account foe the way they increase the risk of harm due to easy ret r .1 tcalton. . 

jwnc debase ownc* cat, make links! "tween fields ol tnfo. nation dal can lie con,reeled by fc« othc 
SriTlter can unloc ■; rearing key held h> few people. For example. a-nstder how a cell 
«ht»c otwidcr or autoiuobdc toll booth administrator can track physical movement and Incation in 
^^diatfcwodwfswkfcts cam Likewise, some database owners bold fields of data 1 liat tvet *®**kj , |^* 

on many sites, making them powerful tools lot retdcmil.cm«>n M u,™, cSdd cs" 
this manner, at wchsttcs use tltcm tn place of usernames. Pedtaps any entity hnklxtg an cm d . „ 

deserves new regulation. I plan in fut tie work to Jcvclop these catcgot.cs further and to flesh h 
arguments for rcgulatinr them more c “oscly 
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We should expand existing privacy laws and enact new privacy laws thar 
regulate the behavior ot companies like these. To be sure, many of these firms 
arc already obligated to comply with many different privacy laws, but in light 
of easy reidencificauon and the database of ruin, we need to regulate them 
more, perhaps with new rules tailored to limiting the type of risk of ;eiden¬ 
tification such providers represent. 


B. Regulatory Principles 


Now that we know whom to regulate—database owners holding Likable 
cx- sensitive data (PII) and large entropy reducers—we turn to the content of 
regulation. How should regulators respond to the power of reidcntificaiion 
and the collapse of our Lith ui anonymization? Before we run ro a Lsc of 
factors that will guide us to the proper regular ion, we need to understand some 
overarching principles. This step is necessary because so much o< how we regu 
lace privacy depends on our faith m anonymization; stripped of this faith, we 
need to reevaluate some core principles. 


1. From Madt to Sociology 


Regulators need to shift away from dunking alxutt regulation, privacy, and 

lisk only; from die point of view of die data, asking whether a particular field 

of data viewed m a vacuum is identifiable. instead, legulaiois must ask a 

broader sec of questions tb.at help reveal the risk of ic identification and threat 

of hami. They should ask, for example, what has the data administrator done 

to reduce die risk of re identification? Who will try to invade the privacy of the 

* 

people m die data, and are they likely ro succeed? Do rhe history, practices, 
traditions, and structural features of the industry or secror instill particular 
confidence or doubt .ibtxic the likelihood of privacy? 

Notice that wlvle the old approach centered almost entirely on tech¬ 
nological questions—it was math and statistics all the way down—the new 
inquiry is cast also in sociological, psychological, and institutional terms. 
Because easy reidencificanon has taken away puiely technological solutions 
that worked irrespective of these messier, human considerations, it follows that 
new'solutions must explore, at least in part, the messiness. 2 " 


287. Sed ChawL or al, wipia n»ire 25 >, :ic 567 (rvving that the rel.itive .iJ\mirage* ofone mt inactive 
technique ls that "the real Jara cm lv dole red or kicked in a vnttilc, anJ so m »y lx.* les* vulnerable to bribery 
of the database udmmistiator") 
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2. Support for Both Comprehensive and Contextual Regulation 


The failure of anonymization will complicate one of the longest-running 
debates in information privacy l iw Should t emulators enact comprehensive, 
cross-industry privacy reform, or should they instead tailor specific regulations 
to specific sectors?" Usually the e competing choices are labeled, i effectively, 
the European and United State? appioaches In a nostanonymiz ition woild, 
neither approach is aifficient clone. We need to focus on paiticular tides 
arising from specific sectors beer use it us duficult to balance iutei‘*sts compre¬ 
hensively without relying on anonymization On the othci han<1 ( wc need a 
comprehensive rc^ulanon that *cts a fl<xx of privacy protection Iccause ano¬ 
nymization permits easy access so ih** database of rum. In aiming tor both 
general and specitic solutions, this recommendation echoes Dan So love, who 
cautions that privacy should be addressed neither too specifically nor too 
generally. 28 ** Solo/e says that wc should simultaneously “resolve privacy issues 
by looking to the specific content, ,,2V> while at the same time usi ig ‘ a general 
framework to identify privacy harms or pioolcmsand to understand why they 
arc problematic.”* 91 

Thus, the U.S.’s exclusively sectoral approach is Hawed, because it allows 
entire industries oo escape privacy regulation completely based c.i the illusion 
that some data, harmless data, data tn the middle of long chains of inferences 
leading to harm, is so bland and non threatening that it is not lil ciy to lead to 
harm if it falls inio the wrong h mcls. The principle of accretive n identification 
shatters this Hluoion. Dots almost always forms die middle Unit in chains of 
inferences, and an} release ol data brings us at least a little closer to our 
personal databases d min. For this reason, l here is an urgent net d for compre¬ 
hensive privacy lefoim in this country. A law should mandate a minimum floor 
of safe daca-handlirg practice:* on every data handler in the U S. Further, it 
should require even stricter data-hancIHnp practices for every large entropy 
reducer in the U.S. 

But on the other hand, the LurO|K;m approach—and specifically the 
appioaeh the EIJ has taken in the Data Protection Directive—sets the height 
of this floor too high* Many obscivcrs have complained abo.it the onerous 






~ 268. c.y., Sdrvaru, of «ccrcr*l and comprchcn- 

sivc approaches to |*riva ‘y (aw). 

189 . DANIEL |. SOLOVE, UNOEI 1 SI ANOINT. PR IVATT -16-49 (Z008). 

290. id. iw 46. 

291. Id. at 4*'. 


Broken Promises of Privacy 


1763 


obligations of the Directive/' It mighr have made good sense to impose such 
strict requirements (notice, consent, disclosure, accountability) on data admin¬ 
istrators when we still believed in the powci of anonymization because the law 
left the administrators with a f.m choice: Anonymize your data to escape these 
burdens or keep yom daui identifiable and comply 

Bui as we have seen, eas\ leidcnrihcadon ha-: mostly taken away this 
choice, thereby biondcning the icuch oi the Duective considerably. Today, 
the EU hounds Google ihouc IP addresses; tomorrow. it can make similar 
arguments about virtually any daiu'pcsscssing company or industry A 
European privacy legulatoi can reasonably argue that any database containing 
facts {no matter how well scrubbed) relating to people (no mattei how indi¬ 
rectly) i'ery likely now (alls within the Directive. It can impose the obligations 
of the Birecnve even on those who maintain databases that contain nothing 
chat a laypvison would recognize as .dating to an individual, so long ar the 
data contains idiosyncunic luces about the lives of individuals. 

f suspect that some of chose who originally supported the Directive 
might feel differently about a Directive that essentially provides no exception 
for scrubbed data—a Paecnve covering most of the data m society The 
Directive’s aggressive data'handling obligations might have seemed to strike 
the proper balance between information flow and privacy when vve drought 
that they were restricted to “personal data/' but once rcidcncificadon science 
redefines, “personal data” ro include almost ail data, the obligations of the 
Direenve might seen; too ixuJensome. For these reuse mx, the European Union 
might want to reconsidci whether it should lower the floor of its compre¬ 
hensive dara-handiing obligations. 

Finally, once the U.S tackles comprehensive privacy reform and the EU 
lowers the burdens of the directive, both governments should expand the 
process of imposing heightened pucacy regulations on. parncular sectors. 
What might he needed above rhe comprehensive floor for health records may 
not be needed for phone lecoals, and what might solve the problems of 
f r iva:e data release probably will hol work for public releases/ 91 This approach 
borrows from Helen Nissenbaum, who uiges us to understand privacy through 
what she calls ‘‘contextual integritywhich “couches its prescriptions always 
within the hounds ol a given context” as better than other “universal” 


292. E.g., DOllOTl ILL HLISUNRERG. NtGOTlATINC PRIVACY: TllC EUROPEAN UNION, THU 
UNITED States and PERSONAL Data PlU ni'CTlON 29, 30 (2005) (ciUtnc pans of the Diieccive “quile 
Mricr" anti “overly complex anti huulensome**) 

293. 0/ infra Pan 1V.D (JiseiKMng spceilu. iulo lei health privacy anJ .watch engine privacy 
contexts). 
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accounts.” 4 This approach also slands m stark contrast to the advice of other 
information privacy scholars and activists, who tend to vilor»z' sweeping, 
socicty-widc approaches to protc< ting privacy and say nothing complimentary 
about the U.S.'s sectoc al approach. 

What easy re identification thus demands is a combination of compre¬ 
hensive data-pintactic>n regulation and raigcted, enhanced obligations for 
specific sectors. Manv othcis hr vc laid out the persuasive ease fci a comprC' 
hensive data privacy law in the United States so l refer the read ,r elsewhere 
for that topic. 295 The rest erf the Article explores how to design sector specific 
data privacy laws, now that we « an no longer lean upon the ciuich cf robust 
anonymization to giv.; us haUtw e What does a pnst-anonynvzation privacy 

law look like ? 


C. The Test 

in the posl-anonymization age, once regulators pick i target for 
regulation—say, large entropy reduons in die healthcare irdustry—they 
should weigh the following factors to determine the risk of rcidc mficatiop in 
that context. The hsi is not cxb lusrivc; other factors might be rcl :vant The 
factors seive two purposes: They are indicator of risk and instruments for 
reducing risk. A;; indicators, they signal the likelihood of privacy harm. For 
example, when data administrators in a given context tend to ^orc massive 
quantities of inform mon, the risk of ^identification increase;. Regulators 
should use these indicative fa< lots like a score card, tallying up the risk of 
re ideat ification. 

Once regulators decide to regulate, they should then treal these factors 
as instruments for reducing risk—the tuning knobs they can c-veak through 
legislation and regulation to reduce the risk of harm. As only one example, 
regulators might ban public icU .uses of a type' of data outright whi c declining to 

regulate private uses of data. 


Z94. Helen Nr sent- win, ft ivuey •« OrmitxuW fncaniy, 79 WAS! I L. REV. 119, 1 54 (2004). 

295. E.r., Solnve & Hoofnayle, .vrfrra nmc 161 . 

296 the European nrlvacy watch toft the Article 29 Working Group, often; th : follow,ng, similar 

hut not identical, list of fr dors: 

The cost ofctxxl Krin’ Kluicifitatto. , i» one foctoi, but not the only one. The inti idee purpofe, 
the way the proccssii ig is stneuirc 1, the advantage expected by the controllci, the interests 
otstake for tlic indu klunls, as we'I as the risk of organisational dysluiiclions (eg. breaches 
of confidcntialit” dut o) and technical fo.lu.es should all lie taken into account On the other 
hand lone).. s'xwld consider the state of the art in technology at the time of die processing 
and the |x)ssihilitics firilevdopmcit duuoc the penixl for which the Jal.i will he processed. 

2007 Working Party Opinion, Jifpm note 28, at 15. 
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1. Five Factors for Assessing the Risk of Privacy Harm 

m 

Dattt'Handfing T ec/m/tjucs 

How do different data-hnndling techniques affect the risks of re identifi¬ 
cation? Experts probably cannot answer this question with mathematical 
precision, it is unlikely vve can* ever know, say, that the suppression of names 
and social security numhets producer an 82 percent risk, while interact've 
techniques sansfyingdiflcrcntul privacy piodi jc a 1 percent lisk. Still, com¬ 
puter *cteu:isfs coukl likely provide a rough lelative ordering of different 
techniques—oi at the very least, grade data-handling practices according to 
wbedier die r:sk or reiJentificauon b high, medium, or low. 297 For example, 
computer scientists mighr grade fa^oiahly a database owner that uses the kind 
of new interactive techniques desci ibed carLcr, although remember that such 
techniques are no panacea. 

Private Versus PMtc Release 

Regulators should scrutinize data releases to the general public much 
more closely than riiey do private releases between nested parlies. We fear 
die database of min because we worry that our worst enemy can access it, but 
if we us '4 regulation to limit the flow of information lo trusted relationships 
between private panics, we can ore a die a little easier It is no coincidence 
that every case study pte.sen.ted in Part f.R involved the public release of 
anonymized data In each case, die researcher or researchers targeted the 
particular data because it was easy to get, and m the AOL search query example 
in particular, an army of hloggcr-rciden1 1 tiers acted as a force multiplier, 
aggravating greatly die breach and the ham. 

My argument against public releases of data pushes back against a ride of 
theory and sentiment flowing in exaedy the opposite direction. Commentators 
place great stock in rht u w: dom of ciowds,” the idea that "all of us are smarter 
than any of us.”'* 5 Companies like Neiflix release grear stores of information 
they once held closely to try to harness these masses. 29 *’ 


297. Some computet actenrisrs have alieady renrarively offered studies (fair arrempr ro categorize 
die risk of reidenrtf tear ion of Jiffarenr techniques. See. e.g , Lakshmnnan er al., >iipra note ^6 (focusing 
oil anonymization); Adam & Wortmann, snpm note 60 (evaluating methods, including conceptual, 
query restriction, data perturbation, and initput pci unbutton). These studies do not take into account 
rhe latest advances in reiJcnuficarion, bur they are models for future work. 

298. Si JKOWIECKI, Mi/mi note 15 

299. Sl\‘ Thompson, sttfmt iujic 93. 
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The argument even throws some sand into the gears of the Obama 
Administration’s tech-savvy new appioach to governance * . 

launch of websites hkc data,gov 3 " and tire appointment of federal clf.ctais 
CTO Aneesh Cho P m' 0 ' and CIO Vivek Kqndra, the admmts rat.on has 
promised to release massive databases heralding a twenty-first ce. tury mode 
Eminent openness * Am, -Jr, the accolades that have been showed 
upJm the government for these efforts, ' one snou.d pause to 
costs. Wc must remember that utility and puvacy arc two s«dcs of the same 
coin m and wc should assume th it the terabytes of useful data that will soon 

be on government wdsi.es will come at a cost to 

mtc with, if not <l,r,proportionate to, the increase in sunlight ar d utility. 

Quantity 

Most privacy laws regulate. lata quality but not quantity 1 -aws dictate 
what data adminisnators can do with data according to the nature, scns.avity, 

and hnkability of the information, but they tend to say 

much data a data administrator may collect, nor how long the ail 

can retain it. Yet, in every Notification study cited, the mse were 

aided by the she of the damba.se. Would-he reidentif.ers will hn l it easier »» 

300 Data (to vwted June u"2010) ( 'The 

k.ohkLc fuHic JL»h* value, machine -Wcdata^dialed ' V -1- Exccuuv. 

"ranch of ihc Federal' V”cmnient")• . Vtrvrm'i Aivcdi Oiofiro US CTO, 

301. Sec Posting of Nate Anders >n, CMv.™. A|, ^ j /ncws/Z co 9 /04/nhama- 
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a rP oi«s-vi, ( .i«tias- a nc,sr-dv, rl a-i«<tos^ c hic[ ,^mw m Officer. HY. 
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iofomintif n-ofneer (Mac 5 7.009, 10:06 USX) i nr ludira his ime .t»on... to create 

303 Id ("Me. KtniJia discussed sotr,- a , ms p hn> «« crc * ts ; ,nchK ** ,, , . .«\ 

*• ‘ - 

should structure systems to enable greati r internet *>c * ^import ivc hut more cautious memo, 
The Ccn, " f ? l | C Q"involvingdcidcniifKatmo anti rcidcntifkation. Or. for Democracy 

txzszsr* lotion 

potential, then: arc impotent privacy implicate: abated with data d.scl«ure ) 

305. Sec supra Part I I1.B. l.». 

jS £3:2; SCJ iU,™ *- 1 - *“ 
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match data to outside information when they can access many records indicat¬ 
ing the personal preferences and behaviors of many people. Thus, lawmakers 
should consider enacting new quantitative limits on data collection and reten¬ 
tion.** They might consider kw*, for example, mandating dara destruction after 
a set period nl time, oi limiting the tend quantity of data that may be possessed 
at any one time. 

Mo/ive 

In many contexts, sensitive data is held only by a small number of actors 
who lack the motive to icidentify.** For example, rules governing what 
academic researches can do with data should reflect the fact that academic 
reseaichers : a rely desire to re identify people m theii datasets. A law that 
scricdy limits inhumation sharing tor th 2 general public—think FHRPa 
( student {.privacy), HI PA A (health privacy), or ECPa (electronic communi¬ 
cations privacy)—might be relaxed u allow researchers to analyze rhe data 
with fe vvei const rai nt s. Ol cl Kirse, regu 1 a to rs shot i Id d t a w cone 1 usions aho u t 
nnxive carehilly, because n is hard to predict who the ad versa: y is Lkely tc 
be, much less divine his or her motive 

Regulators should also weigh economic incentives for reidentification. 
Although we should wony about our enemies targeting us to leam about our 
medical diagnoses, we should wony even more about financially-motivated 
identity diiews looking for massive databases char they can use to target 
thousa nd.j s i multa neons! v. * 1J 


Tmsi 


The flip side ('if motive is trust. Regulators should rry to craft mechanisms 
for instilling or building upon trust in people or institutions. While we labored 


308. See Euiope-in Union Amde 29 Dara Proper ion Woikmg Parry, Opinion 1/2008 m Data 
Protection hiues Reining to Scotch Engines. 00737/EM 'VP US at 19 (April A, 2008), rmuOUe nr 
lnqx//ec eumpa eu/justiccjion>c/lsj/pm acy/dticVvvpde<$/2007/vvp 136_cn pdl [Ivcreiniifter 2008 Working 
Paity Opinion] (arguing rhar scsirt h engines .should srorc quei ies foi a maximum of mx months)- 

309. 0/ EU Data Protection Duecnvv. >u/>m note 3. ar iccual 26 (noting that “the means likely 
reasonably to K. used" to identity mdieidu.il:> are relevant to a determination of whether individuals 
are **ideniiliable , ‘), 

310. As one common!nrnr puts ir 

IT) here’s far less economic mcenrive fora criminal ro go afrer medual dara instead of credit 
card information. Its harder ro monetise the fact that 1 know that Judy Smith of Peoria has 
heart disease—hy iituip false claims m her name, lor example—than to liavc Judy’s credit card 
numbei and expiration Jarc. If I’m a cumin.il with advanced Jara .skills anJ 1 have a day ro 
spend, I’m going ro go afiei financial Jara and not health dara 
Cline, swpm note 177. 
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under the shared hallucination of anonymization, we trusted the technology, 
so wc did not have to trust the recipients of data; now that w; have lost 
trust in i.hc technology, we need lo focus more on trust in people We might, 
for example, conclude that we trust academic researchers implicitly, | overnment 
data miners less, ar u third-party idvertisers not at all, and we can build the<e 
conclusions into law ?nd legulat* hi 

L Apply mg the Test 

By applying the five factors, regulators will have a cough sens-' of tlv* risk 
of rcidentification of a particular i ype of provider m a particular context. If the 
risk is very low, regulators might 1 house to do nothing. It the usk f vcr > high, 
regulators should feel inclined to act, imposing new restrictions on data collec¬ 
tion, use, processing, or disclosure, and requiring specific data s: fe-handling 

procedures. 

Regulators should perhaps also take into consideration the sensitivity of 
the data. It makes sense to treat mod* A diagnoses differently thai t television- 
watching habits, -or example, Peruse the path to harm for the former is 
shorter and more direct than foi the latter. But because the dat: base of ruin 
can be built almost entirely with iionvnsitiv c data, regulators should beware 

not to make too much of this ote p m the analysis. 

Finally, regulator should compare the risk and the sensitivity D) the various 
benefits of unfettered information flow: for medical privacy, bette r treatments 
and saved lives; for internet privacy, letter search tools and cheaper picducts, 
for financial privacy, fewer idertity thefts. If the benefits ol un. :rtered infu- 
rmation significantly outweigh tl ie costs to privacy in a particular < ontext, they 
might decide to surrender/" f erhaps lawmakers will see ^identification as 
tl\e latest example of the fmtili* y of attempting to foist privacy on. an una n - 
prcciative citizenry’ tin ough ham handed regulations. Maybe d\cy mil conclude 
they should just give up and live m a society with very little ptiv< cy. 

Much more often, regulators will conclude that the cos s to privacy 
outweigh the benefits of unfettered information flow. When they come to 
such a conclusion, t ley should consider rules and laws that reduce the risk 
by restricting the amount of irVormahon flowing through society. Of course, 


311 Fvir example, Ha»vaaTs Person; 1 Genome Placet, which is sequencing the C of thousands 
of volunteers to hunt lor genetic marker for disease, lias essentially tokl its voluntcc rs to forget about 
privacy. Peter Dutkes Vow.- ON A h <i Sr Uch. SALON.COM, Fch. 17, 2009. lutp://ww<v salon com/cnv/ 
fcaturc/2009/02/17/gencttc ^resthTg ("fTf ic Personal Genome Project essentially tell ■ its volunteers o 
kstgcf about pnvacy gu trainees. 'I like the Personal Genome Projec t «pp™ch He cholarj says. It s 
honest. They’re saytn ?, "If >uu want to lake the risks, great 
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such restrictions must be chosen with care because of the important values of 
free information flow Regulators should thus try co clamp down on informa¬ 
tion flow in targeted ways, using the factors listed above in their instrumental 
sense as a menu of potential inten enrions 

If the costs significantly^ ourweigh the benefits of information flow, 
regulators might completely ban the dissemination or storage of a particular 
type of information Foi example, regulators should piobahly often conclude 
that public icleases oi uifonnation—even information chat seems benign or 
nonduvatentng—should lx* banned, particularly because such information 
can be used to supply middle links in long chains of inferences. In more 
balanced situations, regulators might restrict but not cur off information flow, 
for example by instituting a quantity cap u a time limit for storage. 1 ” The\ 
might also place even mildu lesuiccions on small classes of crusted people— 
academic researchers, for example—while banning the shaiing of the data 
with anybody else. 

D. Two Case Studies 

To demonstrate how a regulator dxxrld apply this lest, and to highlight 
doe important roles of context and trust, let us revisit again the ease studies 
introduced before: health aixl internet usage information Debates about the 
proper regulation of these uvo classes of data have raged for many years. 
Although l cannot capture every nuance of these debates in this space, 1 revisit 
them in order to show how to regulate data privaev afcei the fall of the robust 
anonymization assumption. 

1. Health Information 


Once regulators choose to scrap the current HIPAA Privacy Rule—a 
necessary step gb'en the rule's intrinsic faith in deidentification—how should 
they protect databases full ol sensitive symptoms, diagnoses, and treatment*? 
Consider one class of usei* of such information m paicicular: medical 
researchers seeking new treatments and cums foi disease. In this context, 
both the costs and henefiis of unfettered use are enormous. On the one hand, 
if our worst enemies ger hold of our diagnoses and treatments, they can cause 
us great embarrassment or much worse. On the other hand, researchers use 
rhis information co cure disease, ease human suffering, and save lives. Regulators 


312. .SVc* 2008 Working Parry Opinion, tu/mi note 308, nr W 
queries for onlv six month*) 


(aiyuing warch engines skutlJ stoie 
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will justifiably be refuel;int to throi tie information flow too much in t his context 
since the toll of such choices might be measurable in human lives ost. 

HIPAA tried to resolve this dilemma by trusting the technology of 
anonymization. ^Jv c no longer trust the technology, but we can si ill rely on a 
different trust: tru»t in the rese ircheis themselves. Health researches are 
rareiy willing to release sensitive data—scrubbed or not—to just anybody 
who asks Instead, they tend to -'hare such data only after verify mg the bona 
fidcs of the person asking Rcgulrtors should build upon such hum »n networks 
of trust in a revised HIPAA, allowing data transfer where trust is high and 
forbidding it where tiest is low. 

The problem is that toda> researchers trust one another recording to 
informal rules and sof: intuitions and to build trust into law, these rules and 
intuitions must be formalized a kJ codified. Should HIPAA rely only on a 
researcher’s certification of trust in another, or should an outside yy\y such as 
an Institutional Review Board review the oases for tiustf Should trust in a 
researcher extend als^ to her graduate students? n 'o her undergraduate lab 
assistants? Regulator, should work with the medical research community to 
develop formalized rul< 3 for determining and d< Alimenting trusted r dationships- 

Once the rules t f verifiable oust arc codified, regulators can fiee up data 
sharing between trusted parties. To prevent abuse, they should require addi¬ 
tional safeguards anti accountability mechanisms. For example, they can 
prescribe new sanctions—possibly even criminal punishment—for those who 
reidentify. They can also mandate the use of technological mecl* anisms: both 
ex ante like encryption and password protection, and ex post rev iew methods 
like audit trail itu ch?nisms. 

Regulators can vary these additional protections according to tnc sen- 
sitivity of the data For example, for the most sensitive data such as 
psychotherapy notes and HIV diagnoses, the new HIPAA car mandate an 
NSA-inspired system of clearances uul classifications; Hl p A/ require 
that researchers come to the sensitive data rather than letting the data go to 
the researchers, requiring physxal presence and in-person analysts at me site 
where the data is hosted. At ihc other extreme, for databases that contain 
very little information about patients, perhaps regulators can rcl ix some or all 
of the additional protections. 

While these now, burdensome requirements on their owi might stifle 
research, they would permit a lothe- change uom the status quo that might 
instead greatly tixpcnd research: With the new HIPAA, regulators should 


113 According to federal rules, «:Jcia»v-funded icm. vth involving lumw Mihiccw fm»t lie 
approved by an IRB. 45 C'.F R. §§ 46 V U-109 (2007) 
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rescind the current, broken deidentification rules. Researchers who share data 
according to the new trusohasod guidelines will he permitted to share all 
data, even fields of data like hitch dace or full ZIP code chat they cannot access 
today.*" With more data and more specific data, researchers will be able co 
produce more acctuate results, and thereby hopefully come ro quicker and 
better conclusions.*'* 

This then should be the new HI PA A. Researches, should he allowed to 
release full, uascuibbcd dacahases co venfiably crusted thud parties, subject 
to new c aitrols on use and new penalties fo 1 abuse. Releases to less-dusted 
diird parties should fall, of course, under diffcrenr nilcs For example, trust 
should nor be transitive. Just because Oi A gives her data to trusted Dr. B 
does not mean dw Dr B car. give die data co Dr. C, who must instead ask Dr. 
A for the data Ku then none, releases to nonrese archers such a* die mar¬ 
keting ann of a drug company should fall ..ndci very Jiffcient, much more 
restrictive rules 

2. IP Addiesses and Internet Usage Information 

Lastly, consider again the debate tn the European Union about data 
containing IP addressee Recall chat every computei on the internet, subject 
ro some important exceptions, possesses a unique IP address that it reveals to 
every computer with wh.ch it communicate. A fierce debate lias raged between 
European privacy advocates who argue that IP addresses should qualify as 
“personal data" under die Data Protection Directive 316 and online companies, 
notably Google, who argue tiiac in many cases they should not 317 European 
officials have split on die question, 1 With courts and regulators m Sweden 3, ^ 


3M lc makes sen*. to continue ui prohibit the irauslct o( some data, such as ivimcj, home 
ttdtkwvic*. anJ phorc^i aptw that could reveal 'dennej iwlwur any outside information ar ail 

315. 71\e cupxinr HiP/uA Pt i\ .ky Rule h ls r* 4 Kvn Mamet! ini a lediiv non in Jan* sharin'; wmon^ 

health researchers 

hi a survey of epidemiok^iso repotted m the Journal of the Ameucun Medical Associat ion, 
two-thirds said rhe H {PA A Pnvacy Rule had made revcaich .stihsrann illy more difficult and 
added ro rhe cose*, and uncciTainty of then pmjeirs. Only onc-qtiairei said rhe rule had 
increased pnvacy and the assurance oi confklcniialit} for patients 

Nancy Penis, The Search /orMu l\m t Go\*T HlalYi 1 IT, Jan. 26, 20C*>, hup.//\v\nv.-ovhealtliic.cum/ 
Artido.aspx ?id« 7 H 56. 

3t6. 2007 \X/«>rking Parry Opinion, wipi a nnre 28, ai 21, Elctrromc Pnvacy Information Centei, 

Search En&wPmkicy, lutp://ep»o.iV-/ptivacy7scarc!w n-inc (List visited Apr 4. 2010) 

317. See sources cited inf}a note 124. 

318. Fin a givid summary', aee Posting i\fjth**ph Ourkr, W»i\ That Your Computet Tniking co Me' 
77kr4:(drmd IP AJthe\\c\ as 'Venonal TXua\ PERKINS COIE OlGESTlRLi: LAW BLOcl, hrrp//www 
fviLinscoie.coui/edisccweii/l^k^Q jspx entry * 5 H7 (June 2d, 2008, 23.30 EST) 
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;ind Spain’*'deciding ibat IP ;»d<lresscs foil within the Directive and those in 
France,”' Germany,” 1 md the UK” 5 finding they do not. 

a. Arc IP Addresses Personal? 

The debate o”cr IP addresses has transcended EU law, as Google has 
framed its arguments not only in terms of legal compliance Kit as i he best way 
to balance privacy against I3P reed. *' In this debate, Google h is advanced 
arguments that rely on the now discredited binary idea that typifies the PH 
mindset: Data can eid er be idem ifial >lc or ru >i. Google arg- les that data should 
be considered persona I only il it can bo tied by the data adimnisi nuor to one 
single human being. If instea! die data administrator can n irrow an IP 
address down only to a few hundred or even just a few human Oeir ys in other 
words, even if the ad'linistnatoi can reduce the entropy o( the data signify 
cr.ntly—Google aig ics diet v sh sold not he regulated. By cmbrac ng this .dea, 
Google has downplayed chc importance of information enttopy, he idea that 
wc can measure and react to imminent privacy violations before iney mature. 

Google frames .bis argument in several ways. First, it aigucs that IP 
addresses arc n<x personal be. a use dvr, identify machines, rot people. 
Google’s Global Piivacy Officei Pete- Fle.3cb.er, ofte:s iiypodhcti' al situations 

[ - mm* *11 I 

319. j<thn O.ires. SuA'dcn. IP Addre^es we Fciftnwl On/css Vourt o Pirate. REGISTER, |unc 

18, 2009,mwItiWe at h tp://www.lhcu£is. -r co u! /ZCX>W)/18/svvcdcn_ip„in\v. 

J20. agencia i&pankua he Pin tox:io.< oc Datos, Statement on s arch Engines 

(2007), awufriWc at hrq x/favw samucipar: o^nos/common/ 

pdfc7dcclnracion_.u:pd _bu.< ;Kiorcs_cn pd 1 (opinion of Spanish Data Protect ior Age icy JcciJir.£ that 
search engines pnxicss "per oodl data,” r< \) mg in pat t on earlier ruling Hx*ul IP addresses). 

321. Mcryc™ Maaonki, Is fhc IP A ddress Suit a Pas anal Data m France', EORI ORAM, Sept 12, 
2007, hltp://www edri nrg/c dngram/num x*r5.l 7/tp*pcrso»vd-d»ita-fr. 

322. Posting of Jeremy Mtuma, C -*nnan Court Rules That IP Addresses Aic ^ at Personal Data, 
FRUSRAUEk PRIVACY LAV' PLCX ' hfto , ;pnv,iq lew p r osk luer cotr/2008/l0/arCicle$ t curopcaiV'Uniorv 
cerman'Couft'rulc.S'that^ip-;HklicoSCS'arc* noi-pei '-onal'dat.i <C\t 17, 2008). 

32.3. iNR'i.CaiM’R'sOra, Data PRommoN Good Practice. Oouu ting Personal 
INFORMATION Using WKHSITtS 3 <200i). auatiMc at hup//vvm'.ia..^wuk/iiphwd/*bxumcnts/iibniry/ 
dala_ protect ion/pract seal.. ipplicsHion/collceung jxryntaLinhirmation_funiG vxbsiu - l*0.pd . 

324. Posting of Alma Whitten, Arc IP Addresses Personal', GOOGLE PUBLIC POLICY BLOG, 
httpd/googlcpublicpoj icy.l logspot.com/. 1 C08/02/ai cdp^Kklrc^s-permnal html (FcL. 22, 2008, \ 2.31 
EST) (tying tlx Jiscurstoo ro the broad question "?* the Gild’s information moves < nline, how should 
we protect out privacyD; Peter Flench r, Gw n Wehvtc Identify n User Dated on II’ Address’, PETER 
FLEISCHER. PRIVACY . I httpi/fpctcrficischcr Mogspot coin/2C08/D2/cmvwelTSite-i' icntify-uscr-bascd- 
on-ip.html (Feb. 13, AW' f Privacy lav* should lx al™t pmrccttng identifiable in lividunb and their 
information, not about um.cmuning uxli.idua I nation."). Mr. Fleischer serves as Google s Global Privacy 
Counsel. Because of this, I cite his Hog ptsc? for clues about Google's views, hut l si iould he clear that 

Mr. Fleischer’s blog bears ihc disclaitnci. "these ruminations arc mine, ml Google' 

325. C/. Fleischer, mpret note 3 24 (An IP address “eonsunites by no m ans an indirectly 
nominative data of the person in that d only irlitcs to a machine, and not to thr individual who n 
using the computer rt ou'cr to comma« ouuteifett." (quoting decision of the Paris Appeals Court;; 
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m which many users share one compuier with a single fP address, such as “the 
members of an extended family each making use of a home pc, a whole 
student body utilising a libiary computer terminal, or poccncially thousands of 
pec^le purchasing from a networked vending machine.”^ Is Fleischer right 
ro categorically dismiss the threat to privacy in these .situations/ Is there no 
threat to privacy when Google knows that specific seaich queries can he nar¬ 
rowed down ro the six, seven, mavhe eight members of an extended family? 
For char mattei, should regulators ignore the privacy data that can be 

narrowed down ro the students on a particular college* campus, as Fleischer 
implies they should? 

Second, in addition to the machine-not-person aigumenr, Google further 
ignores the lessons of easy re identification by assuming it has no access to 
informs cion that it can use to tic IP address co identity. On Guggles official 
policy blog, Software Engineer Alma Whitten, a well-regarded computer scien¬ 
tist, asserts that IP addresses recorded by every website on the planet *uiihout 
additional infoiwxtkn\ should not be considered personal data, because these 
websites usually cannot identify die human beings behind these number 


strings.” •’ Whitten’s argument ignores the fact that the world i„ awash in rich 
outside information helpful for tying IP addresses co places and individjals. 

For example, websites like Google never store IP addresses devoid of 
context; instead, they store then connected to identity or behavior. Cottle 
probctbly knows from its log liles, lor example, that an IP address was used to 
a pamcu.ai email 01 calendar account, edit a particular word proc¬ 
essing document, or semi particular search queries ro its search engine. By 
analyzing the connections woven throughout this mas? of information, Google 

can draw some veiy accurate conclusions about the person linked to any 
particular IP address.” 5 

Ocher parties can often link IP addresses co identity as well. Cable and 
telephone companies maintain databases that asscxriate IP addresses directly to 
names, addresses, and ciedic card numlsers. Thai f dongle does not store these 
data associations on its own seiv»rs is hardly che pome. Othe.wise, nacional 


326. ftwa.ischcr.Are/PAJrtesws “PeiPETtR FLtlSCSILK PRIVACY...!, hrtptfnctcr 
neuscTkT.Wt)y^K»rc<>in/2007/02/jirc-ip-.ul(lrt*vitt.s-|x , rjion,il-J.iu html (Feb. 5,2007, 17:18 EST). 

327 Whirccn, supra tunc 324 (ctnpluiis aJdeUt 

528. See 20)8 Work .or Party Opinion, sirpi.i now 308, at 21 (“The correlation of customer 
netuyioor across different peisonaliscd set vice, of :i seaidi engine provider . t an also lie accomplished 

byomcr meins, based on. . othei disnngiiishmg ch.im.rei ones, such u» individual IP addresses “) 
329 W. at 11,16. 



1774 


57 UCLA Law Review 170 1 (2010) 

_■ ■ i ■ ■ i 1 


ID numbers in the hunch of private parties would not be “personal dai a” because 
only the government can authoritatively map these numbers to identities. 

Google can find citropy reducing infonnation that narrows l ? addresses 
to identity in many other places* Public databases reveal which IoP owns an 
IP address” 1 and sometimes even narrow down an address to a geographic 
rernon; m IT depar meats often post detailed network diagrams linking li 
addresses to individual chfices; and geokxation services try to isolate ! ? addresses 
to a particular spot on d ic baith. 3 ” In light ot me richness of outside i nforination 
relating to IP addresses and gi-cn the power of ^identification, Gcoglc’s argm 

ments amount to overstatements and legalistic evasions. 

Google's argumeiV that it piotects privacy further by deleting a angle octet 

of information from IP addresses > even more disappointingly fail*' «*nd mcor- 
rect. An adversary wlo is missing only one of an IP address’s four octets can 
narrow the world dawt to only 2b<5 possible IP addiesses. Google deserves no 
credit whatsoever s o: dclciir.g partial !P addresses; if there 15 a risK. to storing 
IP addresses at all Google has done almost nothing to reduce that risk, and 
regtilators should a;k them at the very* least to discard all ir address* s associated 
with search queries, following the practice of their searclvengine computers, 

Microsoft and Yahoo. ' 

i 

• b.Should the Data Protect ion Directive Cover Search Quo tes? 

Not only dees he easy r identification result highlight he flaws in 
Google's argument that IP addresses arc not personal, it also Juggests that 
European courts should rule that the E U Directive covers IP add* :s?es. Recall 
that the Directive applies broadly to any data in which a “persen ... can be 
identified, directly or indirectly, in particular hy reference to an i Jentification 
..umber or to one <>r more f etors specific to his physical, physiological, 

i 


130. Hcischct cwtcctl 1 pome, out tU ISPs .ire often fotWJcn mxntUscbsm,; ti e ^mdc ««< 

wkh nn IP Mat Ffchdic. sufna ««c 3 M CTm* ISP » !**«««» ul ' flcr ^ m P''"’ 6 ,™' 
riat information, nod then arc Min.hr k *>l ptoh.bit.ons under P.impean laws. ) TIiums no’d^nt 
from any other kind of accent number winch c.in ho authoritatively tied to identity o nly by the issuing 

entity All other entities irwt make ed« sited pieces. . ,, . . , . I7 

331. E.r. ARIN WHCHS Database Search, http7Avs.arm nctAvhoR (bst visitt J June U, ZUI ) 

("ARIN’s WHOiS set vice provides a me chantsro for finding contact and rcgihtraticn information or 
rramirees KRl rz> NETWORK SECURITY Pi RLE Ufi-1 8 (--005) (discussing 

" }J3. E.J.. lPzLcation.com. http //www.ipZIocation com (lost visited June I 2. 2010); Quova, 

http://www.qiKiva.cori (kv>t visited June 12, 2010) 

334. An octet 11 so named beam* ir conuins c^hr hits of data Z = * 

335. See note . 00 
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mental, economic, cultural or social identity.” 110 Because websites can often 
tie IP addresses to individual people, the Directive should apply to them. 
Still, courts in Germany, France, and the UK have held ro die contrary. Should 
the HU amend the Directive to even mote unequivocally covei IP addresses* 

The answer is not to expand the Directive to specifically cover IP 
addresses, as wc might have done when we still organized laws solely around 
Pll. instead, the EU should enact new, scctonl regulations that reflect a 
weighing of costs and heights fo»* specific problems In this case, rather 
dun a k whether any company holding an IP address should hear the burden 
of the EU Directive, the £U might ask whether the benefit of allowing search 
engines in paiticular to score and disclose information—including JP addresses 
associated wirh search queries—outweighs the potential harm to privacy.’" 

I must -ave for another day a complete response to rhis quosdon, but to 
dcn>opstrace the new cesc for deciding who" ro regulate after zke fall of anonymi- 
ration, I will outline why 1 chink seaich engines deserve to he regulated 
closely Compare the benefits and costs of allowing unfettered transfers of 
stored search queries to the earlier discussion about health information, cak¬ 
ing the benefits first. By analyzing seared queries, researchers and companies 
can improve and protect set vices, increase access to information, and tailor 
online expei icnces hotter to personal behavior and preferences These arc 
important benefits, but not nearly as important as improving health and saving 
human lives 

On the other side of die ledger, the costs to privacy of unfecteied access 
are probably as great fot search query information as frvr health information, if 
not greater. As die AOL breach revealed, stored search queries often contain 
user-reported health symptoms. 1 w In fact, Google takes advantage of this to 
track and map influenza outbreaks tn the U.S. J4 When one considers how often 
Google users tell Google about symptoms that ncvci escalate to a visit to the 
doctor, one can see how much richei—and rhus more sensitive—this infoi- 
mation can be than even hospital data 

We reveal even more than health information to seaich engines, supplying 
them with our sensitive droughts, ideas, and behavior, mixed in of course with 


336. £U D.ifii Protect khi Directive, •iu^a note 1, arc. 1(a). 

^37 In rive EU, the Arncic- 29 Woikiny Gump privacy uardulny ha*. piopovoJ Mmilarly special 
iiearmenr f<vi seaich engines 2008 Walking I‘.ury Opinion, supru note 308,ar 24. 

33S. Sec supra note 201. 

339 Oaiixuo & Zulicr, note 69 (“Her search history includes ‘UmJ tremors/ ‘nicotine effects 

on the body, dry month .irul bipol.ii But in an interview, Arnold .mi J she rourinely researched 

medical condition** tor Iver li ieixL> ro ;L>**uayc rheir nn\iuk*v“). 

340 Google.ot**, Hu TnnJ\ lvrt|v// wu * w .«,u^le.t>r**/lUicrends (la** omicJ June 12, 2010) 
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torrents of the mundane anti unth) eatcning. In an earlier article, l argued that 
the scrutiny of interne c usage—in that case by Internet ScrviccJ’rovide's— 
represent* die single gcatcst thr< at to privacy in society today.’” Regulators 
have underappreciited the sensilive nature of this data, hut events like the 
AOL data release ha /e reawak :ned them to the special qualey of scored 

starch queries. 

Because the cos;; of unfettered data access aie as high in the search- 
engine as in the 'reach context, EU and U.S. regulators shot Id consider 
enacting specific laws to govern the storage and transfer of this i ilotmation. 
Because the benefits are less thai. for health information, regulate s should be 
willing to restrict the .torage and flow of search query information even more 

than Hll’AA restr.ccs health inf -mint on 

Thus, the EU and U.S. should enact new internet privacy laws that focus 

on both the storage ard transfer. >f search queries. They should un kisc a quan¬ 
tity cap, mandating tnai compa tics store search queries for no Unger than a 
prescribed time” 1 They shouki set die specific time limit after const Icting search 
companies’ claims tha; they musi keep at least a few months’ wor h of data to 
serve vital business needs. They should also significantly limit thin l-party access 

to search query cluto. 

4 

'CONCLUSION 

Easy reidentification represents a sea change not only in tethnology hut 
in our understanding of privacy It undeimines decades of assumptions about 
robust anonymization, assumptions that Iwc charted the cours: for ousmess 
relationships, individual choicer, and government regulations. Rc eu la tors must 
respond rapidly and forcefully to this disruptive technological shift, to restore 
balance to die law and promet ail of v from imminent, significan harm. They 
must do this without leaning 0,1 the casy-to-apply, appealingly nondisruptive, 
hut hopelessly flawed emteh of | ersonally identifiable information Tills Article 
offers die difficult but necessary way forward; Regulators must use the factors 
provided to assess llvz risks of n identification and carefully balance these risks 
against countervailing values. 


341. Q. Julie Gihcn, Exommcd i nxsx: Iiiftirninttfinnl Privacy and the Subject ft Object, 52 STAN. 

L 342. Paul Ohm, The Rise and Fall if JSP Surwilfaikc, 2009 U. ILL L REV. Hi 7, 1417. 

343 See 2008 Worf inp Party Opinion, supra note 308, at 8 ("Search engine; play a crucial ro c 

as a first point of contact o access infoi >uat ion freely on the i nternct.'). 

344. Cf. id. at 19 ( TTIhc Working Pam doe. not .see a Kims for a retentK n period beyond b 

months "). 
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Although re identification science poses significant new challenges, it aLso 
liks die veil that for coo long Ips obscured privacy debates. By focusing regu- 
btorr and other participants ir. these debates much more- sharply on the costs 
and benefits of unfettered information flow, retdentification will make as 
answer questions we have too long avoided. We face new challenges, indeed, 
hut we should embrace this opportunity to reexamine old privacy questions 
under a powerful new light. 
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Introduction 

Tiie UID Authority of India conducted a Proof-of-Concept (PoC) study of biometric 
enrolment from March 2010 to June 2010 in the predominantly rural areas of Andhra 
Pradesh, Karnataka, and Bihar. The UIDAI also carried out the biometric enrolment of school 
diildren m the vicinity of Bangalore. About seventy five thousand people in all were enrolled 
during the first phase of the PoC study, and sixty thousand of the same people were re- 
enrolled during the second phase after a gap of three weeks. 


Prior to conducting the UIDAI PoC, there was insufficient reliable biometric data available 
for residents of India diat could be used to analyse and reach conclusions relevant to the 
implementation of tire UID program In addition, outside the state of Andhra Pradesh, there 
was no significant history of collecting iris images In the last five years, iris image capture 
devices have gone through significant technological advances There was however, limited 
data available from anywhere in tire world regarding the ease cf iris capture, as well as the 


usability of iris images in the case of minors. Therefore, the UIDAI felt it necessary to 
conduct Proof-of-Concept studies for biometric enrolment in several states, and analyze the 


data. 


Tins report chronicles these Postludes. The report consists of a narrative of the activities, 
observation? and conclusions based on numerous visits to die enrolment sites, and 
conclusions inferred through i) the statistical analysis of the processes and ii)by biometric 
analysis of die data collected during tire studies 


In the study, face photos, iris images, and fingerprints of all ten fingers were captured. The 
ten fingerprints were captured in two different ways, fust using a slap device, and then using 
a single finger device Rural areas were emphasized in the study for two reasons. One was the 
uneven quality of fingerprints expected from rural workers whose fingerprints could be wom 
out by protoaged physical labour. The secoud was to test tire UIDAT's ability to cariy out 
biometric enrolment in locations representative of the majority of Indian infrastructure, i e. m 
nieas with limited access to electrical power, proper lighting, and other support systems. 


Objectives 

The enrolment PoC was conducted to evaluate technical, operational, and behavioural 
hypotheses related to both the use of biometric devices and the overall enrolment process 
itself, it was aiso conducted to establish a baseline for the quality of biometric data that could 
be collected in rural India. 

* 

Technical objectives j 

» 

tj Measure the biometric quality that could be! achieved in rural Indian conditions 

it) Understand the difficulty challenges in capturing iris images, 

» 



3 
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iii) Determine suitable ergonomics in tte use of the biometric devices, and understand the 
optimal overall layout of the enrolment station. 

Operational objectives 

0 Carry out a time and motion study thiough observation, as well as andysis of process data 
collected tluougb the client software. 

Behavioural objectives 


i) Understand how people in lural India would respond to the capture of iris images. This was 

an important goal, since data on the experience of the public with iris capture devices is 
limited, compared to studies on fingerp: int capture 


ii) Overall response of ein 
be understood 


decs to the e Hire biometric capture process n the PoC needed to 

9 


There were also more intangiuk lesson;- that would be directly applicable to the actual UID 
enrolment, since the PoC was designed lo mimic UID enrolment. For instance, it was 

expected that the PoC experience woukl enable the UID team tc tailor bio metric enrolment 
best practices to be more applicable in Indian conditions 




Executive summary of outcome 

1. The Poc successfully conducted over 135,000 biometric enrolments. The relative .ease 

of conducting the ope ation confirmed that Dio metric enrolment conforming to UID 

standards of quality and process was ndeed possible on a large scale in rural India. 

The total biometrii enrolment time foi each individual, on average, was a little over 

three minutes. Of this, iris enrolment took a little under a mjnutand was not 

perceived lo be excest ively diff cult cither by the resident or the enrolling operator. 

Specifically, many blind people had their iris images captured (For details, see table 
Page 19) 



Multiple fingerprint soanneis as well as iris capture devices were used in the PoC, and 

they performed aceoiding to expectations The PoC was dispersed geographically and 

included many rural, often remote locations across three states. The enrolment was 

typically conducted with mininnl infiastructure and sometimes in extreme weather 

conditions. Euro Ices varied in age all (he way from four years to about ninety years of 
age. 



3. Older people took longer to cnr< d than younger people, and enrt decs whose 
employment involved manual w ork took longer to enrol than the rest of the PoC 
population. Older people needcu more assistance from operators to capture of their 


4 



biometrics. However, the range of enrolment times obseived was well within 
expectations and was not seen as making enrolment impractical. 

4. The enrolment variations tested in the process led to the conclusion that the best 
process was one where the enrolee remained stationary during enrolment and the 
operator did the positioning of the dev ices 

5. The enrolment of children in the school showed that children in the age range of four 
to fifteen could be bio metrically enrolled using the same process as that used for 
adults and with no additional difficulty. The match analysis also showed that their iris 
images and fingerprints could be deduplicated as accurately as those of adults. 


6 . 
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The quality of the biometric captuie was sensitive to the setup of the enrolment station 
and the process itself Most importantly, the enrolment operators instructions made a 


significant difference in the efficiency 


of the biometric capture. 


The quality check process built into the enrolment software was very important and 
provided helpful feedback to the operator in capturing high quality images. 


g The biometric matching analysis of 40,-000 people sliowed that the accuracy levels 
achieved using both iris and ten fingerprints were more than an order of magnitude 
better compared to using either of the two individually. The multimodal enrolment 
was adequate to cany out deduplication on a much larger scale, with reasonable 
expectations of extending it to all residents of India. 


Chronology of planning and execution 

h was decided that the PoC would be done in three states: Andhra Pradesh, Karnataka, and 
Bihar At least 20,000 sets of biometric data had to be collected in each state. To analyze the 
accuracy of bio metric matching, tire same set of biometric samples had to be collected again 
after a suitable time lag of three weeks. In order to ensure that the 20,000 sets of duplicate 
data could be collected, the initial enrolment target in each state was 25,000. This would 
allow for a minority of people not showing up for re-enrolment duiing the second round. 

The regional offices of the UIDAI in conjunction with the technology team worked with the 
state governments to plan the PcC In Andhra Pradesh and Karnataka, the Food &Civil 
Supplies department was designated the nodal agency for the PoC study. In Bihar, the PoL 
was done in conjunction with enrolment for the NREGS e-Shakti project. 


Choice of locations 

Tlie following factors were considered while choosing locations for the PoC. 

i) The enrolees at the PoC locations had to be representative of the Indian population 
in biometric quality. This meant that over eighty percent ot the PoC locations 




• t* 



were rural, since the majority of India lives in villages. Howrvci, the remaining 
twenty percent of t ie PoC sites were urban locations close tc large cities, in order 
to have urban area; well represented in tin. biometric sample > collected. 

ii) A further consider; tion was I hat the rural locations should be at least fifty 
kilometres away from die large metropolitan areas, such as Eiangalore or 
Hyderabad. This was done slice a sampling of closer locations showed that the 
working population of the villages close to mcuopohtan arers typically commuted 
to urban locations for woik, .nd in general, the population was more 
representative of u ‘ban popu lations. 

iii) The goal of the To T was to c ollect data representative of InO ta and not necessarily 
to find difficult-to use biometrics Therefore, extremely remote rural areas, often 
with populations s Dccializmj, ui certain types of work (tea p aiuation workers, 
areca nut growers, etc.) were not chcscn This ensured that degradation of 
biometrics characteristic of: uch narrow groups was not oveaepresented in the 
sample data collected 

iv) Tor tbc three PoC: (apart from the school PoC), the goal vva; to emol adults. In 
Karnataka and Bit ar, only residents above 18 years were allowed to enrol. In 
Andhra Pradesh, adults were encouraged to enrol and very lew minors actually 

enrolled. 


rhe state nodal agencies in collaboraticn with the UID team and the enrolment agencies 
tccordingly selected a set of ocalious to conduct the PoC. T n Andhra Pradesh and Karnataka, 
wo districts each were chosen for the FoC. In each district, five village s were selected for 
enrolling people. In Bihat, th: villages scheduled foi PoC enrolment was decided by the\> 
Shakti schedule. 


he PoC was subsequently conducted in ten villages each in Kaniatakn and Andhra Pradesh, 
nd in over thirty villages in Bihar. The choice of villages across states met our goal of 
eographie diversity since the PoC locutions were widely dispersed 

Within each village, the enrolment location selected was usually the local primary school or 
thcr public building (photo' below). 1 he eiuolmcnt agency bi ought computers, biometric 
evices and related equipment. In mosl areas, one or two power generators were also brought 
3 provide reliable power for lighting and computers. The enrolment was carried out using 
really available furniture. 


PoC enrolment was also conducted in I lie Deputy Commissioners" off ecs in Mysore and 
Tumkur cities. Finally, PoC enrolmenl for school children between 4 years and 15 years was 
conducted in a Bangalote sciool. In Karnataka, the villages chosen were those with Gram 
Panchayat offices, i.e., large * villages. In Andhra Pradesh and in Bihai, this was not always 
so. The following is the list of PoC locations. 
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Figure 1 Typical PoC Enrolment location 
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Figure 2 Typical PoC Enrolment room 
Biometric devices 

Fingerprint scanners and iris capture devices from three different vendors were used in the three 
PoC states. In Karnataka, the iris devices were from Iris ID (formerly LG Iris) and tne fingerprint 
devices were from Morpho (formerly Sagem). In Bihar, the fingerprint scanner and the ir-s capture 
davice were both from Crossmatch Technologies. In Andhra Pradesh, the fingerprint scanner and iris 
capture devices were both from L-l Identity solutions. In Andhra Pradesh, both a single-eye iris 
capture device and a two-eye iris capture device were used. The Crossmatch iris devices were 
binocular type, the L-l iris devices were hand-held, and the Iris ID iris devices were mounted on 
tripods, but could also be used as hand-held devices. Using multiple devices added further to the 
diversity of the PoC process and later enabled us to match images captured using d-fferent devices. 


Preparation of enrolment agency and software 

Enrolment agencies who had already worked with the respective states on previous projects 
were chosen to implement the PoC by the respective state government agencies. The agencies 
were 4G ID solutions in Andhra Pradesh, Comat Technologies in Karnataka, and SmarTech 
Technologies (an arm of Glodyue) in Bihar. In parallel, biometric devices were procured for 
the PoC. The biometric devices procured were the following: iris capture devices, iris and 
face capture devices, slap fingerprint scanners, and single finger captuie devices. 

The enrolment agencies had varying levels of biometric enrolment experience. The UID 
technology group worked with each agency to ensure adequate training and prescribed the 
process flow to be followed. 
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A reference implementation of the enrolment software was created 10 standardize the process 
and have a uniform look-.uid-fecl ol the application across all tliree states. However, since the 
devices used were diflere it in each slate, the enrolment software us ed in each state was a 
custom version which fohowed the reference design. The UID technology team worked with 
each of the three agencies to create (he customized software to be used in the ccnesponding 
state. There were also vauatiens in ihc capture process followed, particularly in iris capture, 
because of the variations in captuie devices. 


A special feature of the enrolment softwaic was that all biometric images .vent through a 
software quality check process The quality check weald indicate <j pass or tail based on 
minimal acceptable quainy of the image. If the quality check failed, the image would still be 
stored, but the operator Mould be required to recapture the image, 'lie enrolment software 
entailed the operator to repeat the capture up to four times. The soil ware ensured that the 
operator was not able to proceed to ihc next step until the recapture v'as done. 


One important aspect of (lie enrohven* software was the capture of piocess data along with 
biometric and demographic aata. Thus the number of capture attempts and timestamps 
captured at numerous points in the capture process were wiulen ini o an XML f»Ie during 
enrolment. This enabled us to evenlually carry out a detailed analy us of the process. 




Prc-enrulnicnt fitJu <\n0 dat i p* eparaHc/n 

The initial step was to work with the local authorities to find possible enrolment locations and 
make preparations foj ge ting people to show up. The local authorises typically went house- 
to-house to inform residents about ihc date and time they were to < nrol. ihc authorities would 
also be present at the enrolment centre to ensure that people did show up, resolve any 
disputes among the enrobes and maintain order. The part played by the local authorities was 
consequently crucial o the success of the enrolment drive 

The enrolment agency supervisors Msited the locations to identify the most suitable buiicuug 
for the enrolment centre, ahead of ihc start of the PoC. They also c [ranged for the right 
furniture among whaf was available in the building and set up the enrolment stations to meet 
the PoC needs. One important point was that the table should not he too wide and the heights 
of the operator, and size af the chairs for the cnrolcc should accommodate the biometric 
capture process. 

Additionally, it was ensued that there was adequate space for people to wait outside since 
people crowding around the biometric stations would disturb the p locess. However, a few 
chairs were kept nearby for observers since it was felt that each re ddent observing the 
process before his or her enrolment would improve the person s c;*sc of enrolment. Postcis 
describing the biometric process (shown in photograph below) were also put up at the door of 
the enrolment centre to help euro lees familiarize themselves with the process. 

In parallel, (he demographic data (f the residents of the local talul or mandal was obtained 
from the food and civil supplies d< part merit and loaded into the appropriate laptops. Blank 
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forms were also kept at the enrolling centres to accommodate people who did not appear m 
the database, but wished to enrol. 

Provisions were made for a bucket of water and towels for residents involved in manual work 
to clean their hands before enrolment. Also wet and dry clothes were kept at each enrolment 
station for assisting people with overly dry fingers. 






Figure 3 Poster describing biometric capture for residents to observe 
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Enrolment Process 

The basic process and associated workflow enforced by the enrolment software is described 
below. There were minor variations in each state due to the different devices used and the 
differences in demographic data collection; these variations are listed subsequently. 

I xhe enrolee would arrive at the enrolling centre with an identifying card. The first 
station was a non-biometric station where the demographic information of the enrolee 
was cither collected from the card or retrieved from an existing database. A. form 
populated with die demographic information was then printed (01 in some cases, 
fonns were printed ahead oftnne) and any necessary corrections made. The 
demographic information collected was name, address, date of birth (or age), and 

occupation. 

During the second round of enrolment, the tear-cf: receipt (described m step 6) was 
used to identify the application number of the appheaut. 

Following this the enrolee was sent to an available biometric enrolment station. 

2. Using the application number from the application form or first round receipt, the 
enro , .ee , 's demographic record was populated in the enrolment screen. At this point, 
the operator would check for biometric exceptions (missing fingers or eyes) by asking 
the enrolee to show his/her hands. If there was an exception, it would be marked in 
the exception section of tire screen, and the information would he stoied in the XML 
file along with tiie demographic information. 

Once ihe above process was completed, the b.oir.etric capture would start. The> 
enrolee would fust sit down facing the operator and the face photo would be captured 
by a webcam. The enrolment software would then perform a qualify check aud crop 
the image. If die quality check or image cropping failed, the photo would be 
.ecaptured up to a maximum of four to'al attempts The cropped face photo would be 
shown on a small frame on the right and it would reniain on display during the rest of 
the biometric capture (see Annexure 1 for screen shots;. 

A white non-re fleeting background screeu was placed behind the enrolee"s chair to 
provide a uniform background for face photo capture, and ensure that the background 
portion of the photo quality check was met. While capturing face photo, the enrolee 

4/ was instructed to look straight and keep his or hei mouth closed. 

* 

During the second round of enrolment, the face photo from the first round of 
enrolment would appear cn the application screen so that the operator could confirm 
dial die same person whose biometrics had been captured in the fust round was befog 
re-enrolled. After confirming that the photo matched the enrolee, the operator would 
capture a new face photo which would be cropped, and replace the earlier photo on 
die screen. The photo would be stored along with the other biometrics in the second 

round database. 


<i 
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4. The iris images of the enrolce weie captured with a singFe-t yc or two-eye iris capture 
device. Based on he results of the quality check, the image; would be recaptured for 
a maximum o -'fom' total attempts While capturing iris mia *c, the enrolce was 
instructed to look straight into the LEDs, rectangle or othci appropriate point 
(depending on the device), >pcn his or her eyes wide (“lool. angry or glare”) and to 

no? biink 



5. The three slap fingerprint images (4-4-2), i.c left hand slap, light hand slap, and slap 
image of the two thumbs, v ere captured. As above, based on the results of the quality 
check, die capture would b< attempted up to four times Tl e slap fmgcqinnt capture 
was done with the cnroice : landing. This was to ensuic that the person could apply 
sufficient pressure to be able to get good fingerprints. Win c capturing fmgciprint 
images, the enrobe was instructed to open their hands, place theii fingers flat on the 
platen in the correct position and p r css their fingers down umly. 

6. Individual finger orin^s of all ten fingers were captured usu ig a single-finger capture 
device. The individual prims were matched with the corresponding prints from the 
segmented image s of the s ap fingerprint captured in step 4. If the fingerprints d*d not 
match, step 5 was repeated s while still not exceeding a toti l of four’ slap attempts fbi 
each type of slap capture. This capture was also done with the cnrolec standing. 

7 If one or mo* e o ' the enrol: e'e fmgei s o'* eyes were rnissir g, an exception photograph 
of the cnrclce's ace along with lx>th hands opened to show the missing fingers would 
be captured. Thi; was in eider to haw a visual record of the missing biometrics. 

8. In the first rounc of enroll icnl, n tear-off receipt that was printed at the bottom of the 
application form was give \ to the enrolce, and the cm dee was asked to biing the tear- 
off receipt when returning fci re-enrolment m the second round. 




f igure 6 Damaged finger exar iple 



figure 7 D?magec eve example 
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Process Variations 

1. Identifying document of enrolee: The enrolee would come to the enrolling centre with 

his or lier ration card in the case of Karnataka and Andhra Pradesh. In Bihar, the 
enrolee was asked to bring his or her job card. Neither of these cards would 
conpletely identify the individual since a single ration card listed all members ol the 
family and each job card would list all adult members of the family. Sc, an additional 
digit was appended to the ration card or job card number to create an application 
number identifying the individual. „ 

Collection of demographic information- In Karnataka, a pre-printed form which had 
the relevant data for the enrolee was chosen from a stack containing forms for all 
res went s of the village sorted by ration card number This was handed to the eniclce 
In Andhra Pradesh, a form containing die eiirotee information was printed at the 
enrolment site and lianded over to die enrolee. In Bihar, the enrolees were asked to fill 
in the form (if necessary, die enrolment agency employee filled the form for the 
enrolee) and the data was then entered info die application. 

2. For iris capture, there were three variations in the three states. 

In Bihar, a binocular type iris capture device was used Ideally, the enrolees would be 
able to hold the iris device to their eyes unassisted, and wait for the iris capture to 
complete. In practice, die operator sometimes helped hold the device up, particularly 
in the case cf older enrolees. 

Iu Andhra Pradesh, the operator held the device The enrobe would stand up and the 
operator would bring the capture device close to the e:iro!ee' < s face and then move the 
device back slowly to capture the iris image. Both siugle*eye devices and dual eye 
devices were used. Dual eye device were used foi about 61.5 percent of the 
enrolments and the remaining were done used tlie single eye device. 

In Karnataka, a dual eye device was used and it was mounted on a tripod for a large 
part of the PoC. The resident would move his or her face slowly towards the device 
and the device would capture the iris image at the appropriate distance. A small 
portion of the PoC was done using the iris capture device as a hand-held device, 
where the operator moved die device towards the enrolee'^ eyes The PoC done later in 
the school in Karnataka also used the same dual eye device as a hand held device. 
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Figure 8: Karnataka- iris camera mounted on a tripod 


Enrolment software 

The enrolment software had the foll.owindscreens (Annexurc 1) 

1. Demographic data and biometric exception captuic 

2. Face photo captur: 

3. Dual iris capture 

4. Slap fingerprint c< pturc - di ice slaps to captme all ten fingc rprunts 

5. Capture of ten fingerprints using a single finger device 

6. Capture of an exception pho Lograph if necessary 




The following are a few noteworthy points related to the enrolment software: 

Oucc the face photo was captured and cropped, it was displayed on a small frame during the 
capture of all the other biometrics, "'his would allow the operator to avoid mistakes and avoid 
combining the biometrics of two dilfcicnl individuals in one enroll lent if there was an 
interruption halfway through the enrolment process. 


There were visual biofiictric quality indicators associated with eacl image, which the 
operator could use to quickly gauge image quality (Anncxurc 1). Tins was done to avoid the 
necessity fur the operator to interpret quantitative scores. 
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The enrolment software would save time stamps during eacii screen transition, i.e. when 
moving from one of the screens (1 to 5) listed above to any of the othei scieens. This was 
used to measure tire “process* time associated with the caprine of each biometric. The time 
measured was not directly related to the time spen f by the device to capture the image. 


In tire context of the UID, the time required for enrolment of each peison was a very 
important factor since it directly translated into the resources needed. Therefore, it was 
important to record the overall ‘.‘process” time related to the capture of each biometric and not 
only the device capture time. For instance, the time measured included the time spent by the 
operator giving instructions related to the biometric capture, the time spent in the enrolee 
positioning himself or herself for the specific biometric etc. 


Tims the measured fimes may not be applicable in a different context. In particular, when the 
emolee is experienced in tire process ano if selfenrolment is done, the conclusions reached 
here would not be valid Also, the measurement was not designed to measure device 
efficiency beyond the UID context. 


Tne “process” timesiamps and the number of attempts captuied by the software allowed us to 
compute average captuie times and the average number of capture attempts per biometric. In 
conjunction with the age and occupation captured in tire demographic screen, we were also 
able to analyse the average capture time and average number of capture attempts by age and 
by occupation. This was important since tliere are several occupations where repeated 
rubbing and scratching of fingers result in worn out fingerprints. 


Finally the software also indicated the number of fir. gets and eyes for which images^ could not 
be captured in each enrolment, because the corresponding finger or eye was missing or 
damaged. Even in these cases, the remaining biometrics were captured and the enrolment was 


completed successfully 


Re-enrolment Rates 


One of the important goals of the PoC was fo create known duplicates by having each enrolee 
come back, after three weeks fo be re-enrolled During the planning of the PoC, there was 
apprehension that a significant number ot enrolees would not come back for re-enrolment. 
This was a source of concern particularly in Karnataka and Andhra Piadesh, where the PoC 
was not associated with any ongoing government benefits program and was a standalone 
experiment. Therefore, incentives were provided for enrolees to re-enrol. In And lira Pradesh, 
and Bihar, each enrolee was given seventy rupees following re-enrolment. In Karnataka, a 
small snack was provided both during the first round and during the second round of 
enrolment. Despite these efforts, the conservative target rate of re-enrolment was set at eighty 
percent. Therefore twenty-five thousand people in each state were targeted in the first round 
to generate matched pair of twenty thousaud after the second round. Actual re-enrolment 
rates were very good and the enrolment agencies were able to reach the targets without much 

difficulty. 
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The following are the acti al re-enrc!mcn( rates observed 

, Karnataka Re-enrolment Rates 
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Observations 

The following are the observed average capture times and number ot attempts 
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The important process time averages aie as shown below' 

Average biometric enrolment time for adults is 3 minutes 17 seconds 

Average biometric enrolment time for children (4 to In years) is 2 minutes 21 seconds 

Capture times analyzed by age, occupation, and gender arc listed in Annexure 2 
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Tab'e: Sicmalric Exceptions (missing eyes and fingers) 


The average time required for capture of lace photo, fingerprints of ten fingers and iris image 
of adults was three minutes and seventeen seconds. Of this, a little over half the time was 
spent on fingerprint capture. The time for iris capture was a little below one minute, and face 
photo capture took over half a minute. The iris image capture time varied significantly by 
age, with people above eighty taking twice as long as people in their twenties. The variation 
in capture time of fingerprints was low-er with the older group taking twenty percent longer 
than the younger group. One apparent anomaly in. fingerprint capture times is that 20 to 30 
year old people took longer to have their fingerprint captured titan older people. This can 
possibly be attributed to the fact that they may be engaged in occupations involving heavier 
physical labour and correspondingly more wear on then fingerprints than their older 
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counterparts. The average capture time foi iris‘images and fingerprints for children were no 
worse than that for adults. This included the youngest children who were only four years old. 

Tiie eruoiment time also showed sig lificant variation by occupation, with the occupations 
involving physical labour showing lougcr enrolment times. For example, agricultural 
labourers took about oue-t ! urd longer to have their fingerprints captured compared with 
public and private sector employees and other white collar workers. Similarly, for iris 
captine, the variation v'as >ver thirty percent. 

There were many blind people who bad their ins captured successfully This was because 
even though they were blind, their u is was intact Similarly, many people with worn 
fingerprints had their finge rprints successfully captured. The table aoovc shows that the 
percentage of residents cut oiled with one or moic missing fingers was only a little over one 
percent and the percentage cf enro lors wan one or both eyes miss in j was less than one 
pei cent of the total enro let population. 

The enrolment PoC for children showed that the process of emoilin \ childien in the age 
r ?J pge of four to fifteen was not sign iticanHy haidcr than tha*. of enr< lling adults. 

Process observations 

An important conclusion leached wes that the best possible way for conducting biometric 
enrolment was to have the enrolcc bo statiunary and have the opera I oi do the positioning of 

the device. 

It was also clear that the operator instructions to the resident were very important. Ihe best 
results obtained in terns c f quality and efficiency was when the operator spent a few seconds 
ahead of each biometr c c ipture clearly explaining what was tequir :d cn the part of the 
enro lee, for example “ <ec d eyes wide open”, “keep fingers flat on t ic piaten and press haid , 
etc. This was much more iffective than trying to correct the eruolce's gaze, positioning etc 
during the capture of the l »io metric. 

The use of quality cheek software clearly helped in two ways. The list was that there was a 
clear message that quality of data collected mattered to the UIDAI md that the quality was 
going to be monitored Tfe second was that the operator began to rxognize good quality 
images and over time ms well versed in c ollect uig high quality im iges. 

The physical layout of the devices r nd the ability of the operator to reach out and help the 
enrolee as required w'ere nlso seen to be important. Therefore the width of the table Lad *o be 
small enough so that the operator could reach across. The other option was that the enrolee 
stood next to the operator on the rig lit side for fingerprint capture. 

The ambient light was not always s ifficient to capture good quality face photographs even 
during the day. Tabic lamps or other artificial lighting was often needed. 

The mobile USB tethered iris devices used were adequate foi capturing good quality images. 
In addition, fingerprint images from different devices were irutchc \ and there were no 
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compatibility issues in doing the matching. In general, the devices worked ns expected. The 

differences in process were much more significant compared to the diffeiences in devices. 

1 

Iris enrolment was eminently possible from the operator's perspective and was also well 
accepted by the enrolee. In fact, the iris capture took less time than fingerprint capture. 

Older people sometimes needed assistance in positioning themselves (see picture below) and 
often required assistance in pressing their fingers hard enough on the platen to get good 
fingerprints. Children were able to position themselves correctly and maintain the position 
long enough for successful capture of all three biometrics. 

The PoC was conducted in the summer months of April, May and June in Medak district of 
Andhra Pradesh and in Nalanda district in Bihar Dm ing a few days when the PoC was in 
picgiess, the temperature reached 44 dcgiecs Celsius in Nalanda. distuct Despite the extreme 
temperature and the fact that no fans were available, enrolment went on normally. 

In conclusion, it is clear that it is possible to collect good quality biometiics in rural India 
aespjte existing shortages in infrastructure, and the biometric variations within the rural 
population R.easonable processes can be specified to unoertake enrolment on a much laiger 

scale 



Figure 9: Older resident being assisted with slap fingerprint capture 
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Figure 10: Eighty six y’ 


ar old resident being 


assisted with iris caplure 


r 


Biometric observvbit ns 

The ultimate goals of biometric enrolment for the UIDAI arc two-fold. One is to carry out 
biometric deduplication for all enrolccs in India, and the second is I o authenticate the 
biometrics of an enrobed resident on demand. Therefore, these acti vities have been the focus 
of the analysis conducted on the PoC data 

Bicinetp'c malchabi'it ' analysis wa done on the PoC. data to undo stand the quality of the 
data and how well it could be used for deduplication and authentication. The basic tool used 
to study the results is (he ROC (Receiver Operational Curve) which shows how two types of 
potential errors can be traded off ag ainst each other for the given * t of data. Two of the ROC 
curves that were obtained from the analysis are shown in Annexurc 3 to show a sample of the 
analysis and to explain the results. The analysis was done using images of ten fingeiprmts 
and twu irises. The face biometric Vi, as uot used for matching. 


Terminology 

The following terminology is needed to understand the results. 

Identification: This is the process where any one person’s biometrics is matched with that of 
all the other people in the database This results in establishing the cnrolec"s biometrics as 
either unique or as a fikey duplicate of the biometrics of an cnrolc c who had enrolled earlier. 
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FPfR: False Positive Identification Rate: This is the likelihood that a person s biometrics is 
seen as a duplicate (i.e., the biometric deduplication software identifies his biometrics as 
matching with that of a different person), even though it is not a duplicate in reality. 

FNrR: False Negative Identification Rate: This is the likelihood that a person enrols a second 
time and die deduplication software is unable to identify theh biometrics as a duplicate set. 

Verification: This is the process where a person^ biometrics is compared only with a copy of 
his or her biometrics that was captured earlier. 

FAR: False Accept Rate: This is the likelihood that a person's biometrics is matched against 
a different person and die biometrics is seen to match, i e the person is wrongly seen to be a 
different person. 

FRR: False Reject Rate: This is the likelihood dial a person's biometrics does not match 
against an earlier sample of tiis or her biometrics and so he or sne is not recognized as the 
same person. 

Results 

The matching analysis was done on two sets of 20,000 biometrics, tor a total of 40,000. 
However, the number of comparisons was several orders of magnitude more than 40,000, 
rinee each set of fingerprints would be matched against e/ery other set cf fingerprints in the 
data set. Similarly, die iris images from each person would be marched against that of every 
other person in die data set. Therefore, die results are statistically significant and can be 
extended to larger populations. 

We will now compile die data on the accuiacy obtained by enroiiiug with only fingerprints, 
enrolling with only iris images, and by enrolling with both biometrics. We will do so using 
the Identification ROC curve shown in Appendix 3 To compare the accuracies in these three 
cases, we will look at the point where the FPIR (i.e. the possibility that a person is mlstakeu 
to be a different person) is 0.0025 %. 

Comparing the FNIR numbers achieved, the FNIR using two irises only is 0.5%, that 
achieved by using ten fingers only is 0.25%, and that achieved by using ten fingers and two 
irises is 0.01%. The conclusion we can draw' :s that accuracy achievable using ten fingerprints 
is twice that of die accuracy achieved using iris images. Even more important, the accuracy 
achieved by using ten fingerprints and two irises is fifty times better than by using irises 
alone and twenty five times better than by using fingerprints alone. The accuracy level 
achieved was 99.99% in this case. 

Looking at the verification ROC for children and adults, we can see that the accuracy 
obtained in matching for children using iris is better than that for adults. Similarly, the 
accuracy obtained using fingeiprints is better for children than for adults.. 

By doing analysis as shown in the examples above on real data captured under typical Indian 
conditions in rural India, we can be confident that biometric matching can be used on a wider 
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scale to realize the goal o creating unique identities. We have further confirmed that is true 
as much for children as fe r adults. 


Conclusion 

The PoC study was a useful piecursor to large scale UID enrolmcu and has validated our 
hypotheses regarding biometric enrolment. Iris enrolment was not particularly difficult, and 
dramatically unproved the accuracy levels that could be achieved. I he biometric accuracy 
levels nccessarv for deduplication c f oil tesidenfs of India aie achievable. The time needed 
for capture of biometrics in typical rural conditions is small enough to support large scale 
enrolment. In concius-on. tire PoC study was a productive pari of the ongoing rollout of the 
UID program. 
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Annexure 1 - Enrolment application screen shots 
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Annexure 2 - Enrolment times by age and demographics 



Euro Intent times by age 
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Annexure 3 - Biometric matching accuracy curves 
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India's ID card scheme - drowning in a sea of false 

positives 


by David Moss 
March 2Q11 


* UIDAI cannot possibly deliver what they promise. 

* Their own figures prove it. 

* If Indta is relying on unique identification, 
then India has a serious problem. 


Abstract UIDAI conducted a proof of 
concept trial of their Aadhaar project 
between March and June 2010. This 
paper reviews their report on the trial 

'U fi ■ i n> *'!* 11 c‘ 11 ! l < k *i ii oiii'i«] ii 

"o\ 1 published m December 2010. 


First UIDAI promised that Aadhaar 
would deliver unique identification. 
Then they conducted a proof of 
concept trial to see if it can. 

That's back to front . 


"The logo for Aadhaar, 
a sun in red and yellow, 
with a fingerprint traced across its centre 
...a new dawn of equal opportunity 

for each Individual* 


Which quite unnecessarily exposed 
UIDAI to reputational risks if the trial 

disproved the concept. And not just UIDAI. The very senior politicians they 
had involved m Aadhaar could be embarrassed. The Indian people could 
have some legitimate questions about the proper use of public money and 
the competence of their government and its agencies. 


The trial did disprove the concept and this paper recommends that UIDAI 
quickly re-establish the logical order of the Aadhaar project. 

It should be made clear to politicians and the media and the public that 
UIDAI's promises depended on representations made to them by the 
biometrics industry . Those representations should be published. The 
biometrics companies 1 names should be prominently highlighted in all 
relevant publicity material. It is the directors of the biometrics companies 
whose names and faces should be well-known and should be firmly attached 
to all the promises of unique identification, not UIDAVs directors. 

That way, if Aadhaar starts to unravel, if the sun fails to rise on the H new 
dawn of equal opportunity" - in short, if the argument in this paper happens 
to be right - the blame will be placed where it belongs and not, the wrong 
way round, on UIDAI. 

It should be an easy decision to make, to adopt this recommendation . The 
alternative after all, is for UIDAI to look like the credulous dupes of some 
over-ambitious salesmen, dupes who wasted billions of dollars of public 
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money while claiming to be "pro-poor", 

-o O o- 

Introduction India has a population of something over a 
billion people and it is the job of the Unique Identification 
Authority of India (Uh><\i) to enrol them all onto a population 
register - the CIDR or Central ID Repository - and to issue 
them with ID cards. 

UIDAI have adopted "Aniih.i.u" as a brand name. Your 
Aadhaar (denoting foundation and support) is primarily your 
unique identification number, issued by UIDAI, but.it is meant 
also to denote UIDAI-related personnel, systems, services, and 
products such as the ID card itself, and it is meant to inspire 
nationwide trust in them all and rock-solid confidence that the 
benefits of their project will be delivered. 

-o O o- 

The UIDAI Model According to the UIDAI Model: "The existing 
patchwork of multiple databases in India provides scope to 
individuals to furnish different personal information to different 
agencies". India is not alone in that. 

The question is, why should the CIDR database be any different 
from all the other databases? And the answer is, everyone 
hopes, biometrics: "The UIDAI has been setup by the 
Government of India with a mandate to issue a unique 
identification number to all the residents in the country. A key 
requirement of the Aadhaar is to minimize/eliminate duplicate 
identity to improve the efficacy of the service delivery. 
Biometrics features are selected to be the primary mechanism 
for ensuring uniqueness ... Therefore, it is necessary to create 
a UIDAI Biometrics Centre of Competence (UBCC) that focuses 
on the unique challenges of UIDAI". 

The "mission" of UBCC is: "To design biometrics system that 
enables India to achieve uniqueness in the national registry'. 

The CIDR will store and use biographical data, in addition to 
biometrics: "Registrars will send the applicant’s data to the 
CIDR for de-dupltcation. 7 he CIDR will perform a search on key 
demographic fields and on the biometrics for each new 
enrolment, to minimise/eliminate duplicates in the database ..." 

But UIDAI aren't sure about the accuracy of biographical data, 
not in the same way they're sure (with good reason?) about 
biometric data. At least for the moment, the support and 
foundation of the CIDR is meant to be biometrics, not 
biographical data: "While certain demographies!information is 
also provided, UIDAI provides no assurance of its accuracy. 
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Demographic information shall not be used for filtering during 
the de-duplication process, but this capability shall be 
preserved for potential implementation in later phases of the 
UIDAI program". 
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Biometrics Should UIDAI be so sure? How reliable are the 
biometrics Aadhaar depends on? 

Earlier reviews of the chaotic mass consumer biometrics 
market suggest that UIDAI have taken on an impossible task. 

But now UIDAI have conducted their own, up to date, proof of 
trial and, in the Conclusion section of their report, they 
say: "the biometric accuracy levels necessary for deduplication 
of all residents of India are achievable". This follows the claim 
in the Results section of the report that "we can be confident 
that biometric matching can be used on a wider scale to realize 
the goal of creating unique identities". 

In fact, those conclusions do not follow from the evidence 
reported. Nothing in UIDAI's surprisingly low quality report 
suggests that it would be feasible to prove that each electronic 
identity on the CIDR is unique. Not with a billion* people on 
the database. Far from it, India can be confident, from the 
figures quoted in UIDAI’s proof of concept trial report, that 
deduplication could never be achieved. 

-o O o- 

The sea of false positives It just takes a simple two-step 

argument to prove the point. Nowhere does the maths involved 
rise above schoolboy level. 

Step 1 - uniqueness 

UIDAI must create one electronic identity on the CIDR 
corresponding to each real person in India. Each electronic 
identity will include a copy of the person's fingerprints and 
irisprints. If UIDAI are to prove that each electronic identity is 
unique, then each set of biometrics must be compared to, and 
shown to be different from, every other set of biometrics. 7 

UIDAI know that. As they say in the Results section: "the 
matching analysis was done on two sets of 20,000 biometrics, 
for a total of 40,000. However, the number of comparisons 
was several orders of magnitude more than 40,000, since each 
set of fingerprints would be matched against every other set of 
fingerprints in the data set". 

How many unique pairs of biometrics can be chosen from 
40,000? Answer: 40,000 x 39,999 / 2 = 799,980,000. UIDAI 
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are right. 40,000 is a number of the order of 10 4 , whereas the 
number of comparisons which have to be made to prove 
uniqueness is of the order of 10 s . 

The population of India is of course not 40,000. More like 1.2 
billion or 1.2 x 10 9 . So that the number of comparisons 
between pairs of biometrics that would need to be made to 
prove uniqueness is 7.2 x 10 17 . 

Step 2 - false positives 

It would take a very long time but, in a perfect world, those 
7.2 x 10 17 comparisons could be performed by computer and it 
could be proved automatically that there are no duplicates, i.e. 
each electronic identity is unique. 

In the real world, problems arise. UIDAI say quite rightly that 
they must expect the odd false positive. In other words, on 
occasion, it will look as though two people have the same 
biometrics. 

There may be hundreds of reasons for that. Here are just four 
of them: 

• The equipment used may not be entirely reliable. 

• An over-worked UIDAI agent may by mistake register Mr 
Clark's biometrics against Mr Baker's name. 

• Mr Clark may have naughtily enrolled twice, once in his 
real name and once as Mr Baker. 

• Mr Clark and Mr Baker may genuinely be two different 
people who happen to have the same biometrics. 

When a false positive arises, it has to be investigated by a 
team of human beings. It can't be resolved by computer. 

How many false positives should India expect? In the Results 
section of their report UIDAI define FPIR, the false positive 
identification rate, and they say "we will look at the point where 
the FPIR (i.e. the possibility that a person is mistaken to be a 
different person) is 0.0025 %". At that point, UIDAI would get 
2Vi false positives on average for every 100,000 comparisons. 

Given that UIDAI have to make 7.2 x 10 17 comparisons, how 
many false positives should they expect? Answer: (7.2 x 10 17 ) x 
(2.5 x 10 5 ) = 1.8 x 10 13 . That's 18,000,000,000,000 false 
positives for people to investigate and resolve. 

It's just not going to happen, is it. India has got better things 
to do with its time than to dean up the mess left behind by 
today's unreliable mass consumer biometrics. 

And that's the end of the argument. 
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To prove uniqueness, every single Indian would have to 
investigate and resolve 15,000 false positives. Long before they 
had finished, many of them would be dead, many more 
Indians would have been born, and the task would remain 
incomplete. Using UIDAI's own figures, India can be confident 
that the proof of uniqueness is not achievable. Not in the real 
world. 

If any journalist asks UIDAI the question "are you sure that all 
the IDs on the CIDR are biometrically unique”, the only truthful 

answer is "no". 

UIDAI cannot possibly deliver what they promise. Their own 
figures prove it. If India is relying on unique identification, then 
India has a serious problem. 
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Feedback How many false positives would be manageable? 
One million? To achieve that, the FPIR would have to be 
18,000,000 times smaller/better than 0.0025 percent. Is that 
feasible? How many more staff would UIDAI need? How much 
more would UIDAI have to spend on top quality biometrics 
equipment to make that improvement? If that is feasible, why 
didn't the UIDAI Biometrics Centre of Competence say so? Why 
did UBCC "took at the point where the FPIR ... 0.0025 %" and 
not at the point where it’s 1.4 x 10' 12 , which is what it would 
have to be to reduce the number of false positives to one 
million? 

If the sea-of-false-positives argument above is correct, then 
biometrics do not provide the foundation needed for Aadhaar, 
the false conclusions drawn by UBCC in the proof of concept 
trial report impugn everyone's trust in UIDAI and no-one can 
be confident that the benefits of Aadhaar will be achieved. 

But is the argument correct? It needs a trusted and 
independent third party to state their case and deliver the 
verdict. 

Some responses to this paper have been received. More would 
be appreciated. 

One response was to argue that the number of comparisons 
required to prove uniqueness would be reduced by using multi¬ 
modal biometrics. Take another look. The FPIR of 0.0025 
percent used in this paper is the multi-modal rate. If the 
calculations had been based on the FPIRs for either fingerprints 
or irisprints singly, then the prediction would be that UIDAI 
would have to perform even more than 18,000,000,000,000 
comparisons. 
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It was also suggested that biographical data used in 
conjunction with biometric data would reduce the number of 
comparisons that need to be made to prove uniqueness. That 
may or may not be true but it isn't what the UIDAI Model says, 

"demographic information shall not be used for filtering during 
the de-duplication process", as noted above, and it isn’t what 
the proof of concept trial report says - which is that uniqueness 
can be proved using biometrics alone, "the biometric accuracy 
levels necessary for deduplication of all residents of India are. 
achievable". And on that point, UIDAI are wrong. 

Or so it seems. (To repeat, more feedback would be 
appreciated.) 
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13 more questions Presumably the proof of concept trial 
report is the work of UBCC. They have to say why the sea-of- 
false-positives argument is wrong, if they can. And here are 13 
more questions which could do with a response from them: 

1. Over the years, the suppliers of biometric technology have 
been caught out repeatedly making exaggerated claims for the 
reliability of their wares. Their marketing material is now a little 
less gung-ho. UIDAl’s suppliers, i.-J identity Solutions Inc. and 

among others, do not claim on their websites to be 
able to deliver unique identification in the case of large, 
population registers. Given the sea of false positives, how could 
they? So why do UIDAI claim to be able to deliver unique 
identification? It's easy to see why the suppliers don't object to 
being boosted in this way. But why do UIDAI provide this 
unsolicited testimonial to the historically flaky products of the 
mass consumer biometrics industry? 

2. Should UIDAI change their name? Perhaps they should drop 
the word "unique" and become simply "IDAI". Or maybe they 
should change their name to something more like Pakistan's 
"MM TA", the National Database and Registration Authority. 

Not that NADRA seem to have brought peace, stability, social 
justice, universal inclusion and prosperity to Pakistan. 


3. How keen will V and Mm-IcK <ird be to proceed with their 
plans for biometrically verified payment services if unique 
identification is not available? 


4. Many states of the European Union, and Pakistan, and 
China, and others, use biometrics for their identity 
management schemes. If today's mass consumer biometrics 
are too unreliable to prove uniqueness, are they all, like India, 
perhaps wasting their time and money? 

5. In December 2009 UIDAI published their biometries Design 
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under the influence of the US National Institute of Standards 
and Technology (IT '.••!), they had high hopes of using facial 
geometry as a biometric. A year later, the support for facial 
geometry in the UIDAI Model is now tepid, at besH " Multiple 
modalities such as- fingerprint and iris image will be used for 
de-duplication. Face photograph is provided if the vendor 
desires to use it for de-dupheation". And in the proof of concept 
trial, they dropped facial recognition by computer altogether. 
Hardly surprising, i ucni g^orneiry is traditionally I he least 

hioinointcommonly considered. In general 
people would do better to toss a coin than to rely on facial 
geometry. Is the im«‘i nnuoual Civil Aviation Oiqanization 
wasting everyone's time and money, including India's, by 
insisting on facial geometry being implemented in ePassports? 

6. ... and are the UK, Aumioiu, rind Now Zealand, and Portugal 
wasting their time and money using so-called "smart gates" for 
border control at international airports? These machines rely on 
facial recognition. Does India intend to install them? 

7. UIDAI s identification results (Aimexttio p.30) are based 
on 20,000 people chosen from the 60,000 who attended two 
biometric enrolment sessions. What do the results for all 
60,000 look like? Why were the full results not published? How 
were the 20,000 chosen? What was wrong with the other 
40,000? Why don t UIDAI report the deduplication statistics for 
the i.. niiiCm - now enrolled on the CIDR, instead of a 
paltry 20,000 of them? 


8. Is a field trial of 20,000 big enough to tell India what to 
expect when it comes to 1.2 billion people? 

9. UIDAI are going to need a lot of different staff using a lot of 
different biometrics equipment in a lot of different urban and 
rural locations - how feasible is it to keep the FPIR as low as 
0.0025 percent? 


10. Most of the participants in the proof of concept trial were 
adults. UIDAI's report is not precise on this point, but it looks 
as though the results for children are based overwhelmingly on 
a sample taken from just one school. If that is the case they 
can tell India so little, why do UIDAI bother to publish the 
children's results in the trial report? 

11. Why don't Visa and MasterCard rely on biometrically 
verified payments anywhere in Europe and the US? If they're 

not good enough for Europe and the US, why should they be 
acceptable in India? 


12. The US company l ay i'.y iouch tried to promote 
biometrically verified payment services. They went bust. Have 


UIDAI considered this warning? 

13. i.nn. the body representing 1,800 business schools in 110 
countries, dropped fingerprinting as a way of verifying identity 

fh te ^ a tw °-year trial. If the business schools don't recommend 
the technology, why do UIDAI recommend it? 
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Identification v. verification This paper concentrate nn hh. 

aDRTumque e,, “ £af,0n ' i e ' Pr ° Vin9 th3t each record on the 

v?%L a £n nt !T T USt be i ald t0 the separate problems of 
. cat:ion i i s. proving that your biometrics are the same as 
the biometrics on the ID card/passport that you are us^Q to 
cross a state border, for example, or to register with a doctor 

India^'H healthcare or t0 P rove Your right to work in 


When it comes to verifying identity, there is a trade-off 
between false reject rates and false accept rates theyare 

i / h propo , rt:, u-? al ' The fa,se ootopt fate must be low to 
reduce the probability of impostors defrauding the state and 

toe banks. But that tends to push up toe fa serZSrate 

T" gl l t0l , d bv a com P uter t?ey ara not 
emselves. And when that happens, they can't cross the 

border or register with the doctor or get the new job. 

in the proof of concept tnal 'report (Annexe 3 o 31 

children- b UBcnh led " Iris verification ROCs (1:1) for adults and 
children liBCC have some way to go. 

It is impossible to tell from UIDAI's report what the level of 
false rejection in Aadhaar is. It could be verylow It co u Idbe 

r °z irm ( zrz \ p , 32) - ic - 

,. " "" llK f ound a false reject rate for 

>n^ r P r,n ^ S ' usin9 L ~ 1 Ic| entity Solutions technology, of about 


But if the entitlement to public services depends on the 
biometric verification of identity, and if 6 percent of the 

that T 3 ?2°mitlinn^ 6 "?^ * denied their entit| ement as a result 

customers , 
72 million rioting people have a way of making their anaer and 

S tS'nd uf SUlt may be that bilmetrta To no 

use to India and that all the money spent on Aadhaar is 




wasted. 
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Back to front The proper conclusion from UIDAI's proof of 
concept trial seems to be that the concept is not proven, the 
system design is a failure, its hypothesis is wrong, unique 
identification is not achievable. Ask any 16 year-old studying 
science (any logical 16 year-old, come to think of it, not just 
science students), that should be the signal to halt Aadhaar and 
think again. 

The proof of concept trial report reviewed here is a poor 
support for Indian confidence, it provides no foundation for 
trust in UIDAI and it diminishes the Aadhaar brand. The trial 
results are the opposite of the stated conclusions. UBCC need 
to raise their game before they conduct their next biometrics 
trial. 


The figures show that unique identification is not possible, the 
report states that it is. The proof of concept trial is a failure, 
the Aadhaar project proceeds nevertheless. It's all back to 
front. Why? 


Because UIDAI's approach to biometrics is back to front. 

First UIDAI assumed that today's mass consumer biometrics 
technology is reliable enough to deliver unique identification 
and adequate verification. They made all their plans 
accordingly. They hired staff. They contracted with registrars 
and enrolment agencies and introducers and authenticators (as 
per the UIDAI Model). They paraded the most senior politicians 
in the land to give the project their backing. They briefed the 
press and they ran a nationwide publicity campaign. Global, 
even. All the while, they were making promises, raising 
expectations, committing themselves. A lot of hope, wishful 
thinking, the best of intentions, sackloads of public money, the 
benefits would be monumental. Then, and only then, they 

conducted a trial to test the feasibility of Aadhaar. That's the 
wrong way round. 


As it happens, the UK made the 
same mistake. For years, 
between 2002 and 2010, the 
Home Office were in the 
undignified position of being 
quite unable to answer probing 
questions, whether posed by 
critics or supporters, about the 
proposed UK ID card scheme. 
The facts simply don't support 
the claims the Home Office was 



Damian Green MP feectino disk drives 
from the failed UK ID card schema 
and the credibility of the home Office 





Photograph: SVl ;Vs? ( hit)"'i >n/Cuij < du;n 


making - see for example their 
document •i|ii,iidu , t) 

idc-nhiy' - about being able to "lock" people to a single identity 
(para.3.29) and their fatuous promise that ID cards would 
"make life easier" (para.2.1). Public money was wasted on a 

fiipf 


There were many problems with the UK scheme. Not just 
biometrics. But biometrics is the easiest problem to understand 
and to discuss objectively and on which to reach an agreed 
decision, it's quantifiable, there are no difficult value 
judgements to make, it’s just technology. And not a very good 
technology - whenever there is a large-scale field trial, as 
opposed to the mere computer modelling exercises favoured 
by N' s i, mass consumer biometrics prove to be too unreliable 
for the ID card schemes that depend on them. 


By the time the stillborn scheme was finally cancelled, the 
Home Office had lost all credibility, it was totally demoralised 
and it is now excluded from discussions of the UK's new, and 
still unspecified, MiijimI I vhvory Identity Assurance project. 


o 0 o 


Deduping UIDAI If UIDAI wish tp avoid the same fate - 
ridicule, disgrace, ostracisation, ... - they had better display a 
lot more dignity than the UK Home Office did for eight years. 

The danger exists that, having given their unsolicited 
testimonials to the biometrics industry and its unreliable 
products, UIDAI will be left to clean up the expensive mess left 
in India as best they can when Aadhaar is cancelled, while the 
biometrics industry road-show moves on to the next country 
and repeats the trick. 


UIDAI need to make it clear to politicians and the media and 
the public that the magical claims made for biorrfetric 
identification and verification were hypothetical. They have 

been proved to be wrong. And that's the biometrics industry's 
problem, not UIDAI's. 

There are any number of news items in the media like the 
following article by Amruta Byatnal published in The Hindu of 
29 September 2010 ... 


Tembhli becomes first Aadhar village in India 

Ranjana Sonawne 782474317884 W.lh this number. Ranjana has become the first Indian to 
get the LfID (Unique Identification) Ptmie Minister Manmohnn Singh and United Progressive 
AJIninee Chau pet son Sonia Gandhi launched the Andhar project. 







The Unique Identification Authority oflndia 
(UIDAI) chief. Nandan Nilekatu, Maharashtra 
Chief Minister Ash ok Chavan. Deputy Chief 
Minister Chhagan Bhujbal. Maharashtra 
Governor IC Shankaranaraynnan. Planning 
Commission Deputy Chainnan Montck Singh 
Ahlmvaha were also present at the inauguration 
function 

♦ 

Stating that the UID will help people in ‘all 
fields.’ Ms Gandlu stated: “Our idea is to not 
just focus on development, but to bring about 
inclusive giowth amongst our people This 
scheme will make sure people will get what they 



Prime Minister Manmohan Singh 
and UP A chairperson Soma Gandhi 
present the Unique Identification card 
to a tribal woman in Tembhh, Maharashtra 


deserve” . 

i 

1 

Dr Singh congratulated the UIDAI and said. 
“UID will help the hundreds of people in India, 
whose pnde was hurt for so many years because 
of the lack of an identity This will be their 
source of recognition from now on/' 


Making life easy 

He clarified that the UID number will now 

enable them to open bank accounts without any hassle, get intion anywhere in the country and 
to get job catcls. among othei facilities . 
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... the recommendation in this paper is that UIDAI should 
ensure that a lot of news items like the following mock-up are 
published in addition. And journalists should lose no opportunity 
to ask the directors of the companies supplying biometric 
technology to UIDAI to confirm that it is feasible to prove that 
each electronic identity on the CIDR is biometrically unique: 


Aadhaar: biometrics companies provide copper bottom guarantee 



Jean-Paul Herteman, CEO of tu, >, 
the company that owns fu'<j>ib 

(p) ' > t :■ 1 <"’• u* 


N/{ >»>('<''• Cnwdi am lut vipmn onrl 


Leaders of 
tw o of the 
biggest blue- 
chip 

companies 
providing 
biometrics 
technology 
to India’s 1.2 
billion 
Aadhaar ID 
cnid scheme 
joined 
togcthei 
today to 
con grntulate 
both Prime 



Robert V LaPenta, 
Chairman, President and CEO 

Of L t 7 XRv me. 
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chiefNandan Nilekam on his energy. The fingerprint and iris know-how of Morplio and L-l 
Identity Solutions lies at the heart of Aadhaar. The ability to provide a unique identity to evety 
resident ol India depends on the uniqueness of their biometrics, as recorded by MrHertcman's 
high-tech equipment and Mi LnPentn's, 

Scientifically pr<n cn - the power of technology 

"This has never been done before", they said, "anywhere in the world. UIDAI need ourskillsct to 
be 100 percent reliable, we aic pioud to be underwriting the biggest social project on the planet 
and we thank Mi Nilekam for giving us the opportunity to help. In years to come, India will be 
transformed by Andham into a 21st century powerhouse and that will indubitably be thanks to 
our biometrics and to Prime Minister Singh's faith in our companies". 


- 0 0 0 - . 

Pro-poor approach According to the UIDAI Model, India is. 
adopting a pro-poor approach: "The UIDAI envisions full 
enrolment of the residents, with a focus on enrolling India's 
poor and underprivileged communities. The Registrars that the 
Authority plans to partner with in its first phase ... will help 
bring large number of the poor and underprivileged into the 
UID system. The UID method of authentication will also 
improve service delivery for the poor". 

The poor are not helped by UIDAI pretending that a technology 
works when it doesn't. Who is? 


Updates: 


18 March 2011: (low UliV'.L 

iOl W,l! (i Will' •. 1 P ' '.4 jit I III' 


tiuolt-d up pilot tost. 


results to press 


David Moss spent . mht yr.i . . L.tittpaigihiiy against the Home Office's ID card 
scheme HTP. Whitehall haven't given up yet - a national identity assurance 
service has appeared in their (> ('.It<t’,i L>r uji^mme. We shall see. 
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THE N ATIONAL IDENTIFICATION AU CiORITY OF INDIA 

BILL. 2010 , 


% 


BiUL 

io provide fa. 'he 'suddishtncui oj ihe iXanural Idea, iJicatUui Authonn of India joi the 
mnpou of issuing identification uwubei - to individuals residing m India and io 
certain other clashes of individuals nn.l mnunei of authentication of such individuals 
to fcK'ihrate access to benefits and services to such individuals to which they are 
entitled and foi mat an* connected rheiruuth oi incidental thereto. 

Bl it enacted bv 1 *aihamciu in the Sixty-fit si Ye hi oi the Republic ot India as follows: 

CHAPTER 1 
Pklliminaky 

1.(7) Tins Act may Ik called the Naiioiul identification Authority ot India Act, 2010. 

5 fi) it shall extend to d>e whole of India except the State of Jammu and Kashmii and 

save as otherwise provided in this Act, it applies also to any otience oi conti avention 
ihereundci committed outskic India by any prison. 


Short title, 
extent and 
coiniuciieemeiu 


t 


Definitions 


i j.; d' * 


1 ^; 


<1 r« »! « 
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(J) Ii shall come i no force on ^uch dale as Ihe Central Government may, by notification 
in the Official Gazette, appoint: and diffident dates may be appointed for di ferenl provisions 
of this Act and any refe ence in any such provision to the commencement t f this Act shall be 
construed as a reference to the commencement ol that provision 


2. In this Act. unless the context otherwise requires,— 

(n) “nndha lr number” means the identification numhei issue l to an individual 
under sub-sectk) i (2) of see ion 3. 

(/j) u aadhiar number bolder’ means an individual who ha; been issued an 
aadhaar number under this /' ct, 

<r) “aulhc mention" mean; the process wherein aadliaai numbei along with 
other attributes including tioinetucs) are submitted to the Central Identities Data 
Repository or i s vanficalu", and such Reposiloty verities the directness thereof 
ou the basis of iufonvtfcui c data or documents available with it 

<<Y) “Aullunty” means ihe Nat.oral Identification Author by o' India established 
under $ub-$ec(icn (/) of section 11 

(e) “b'Oimtric infom* alum” means a set of such biologic? I .ntu’uites of an 
individual as m; y be specified by rcgiuauons* 

if) “Centra] Identities Data Repository” means a cent; ahsed talabasc xu one oi 
more locations containing . II aadhaar numbei* issued to .ndha< i uunibei holders 
along with the c irrcspondinr demogiaphic infonnation and btome nc information of 
such individual; and othei n for mi Non (dated Iheielo: 


(ji) "Ohai person” meins the Chairperson of the Authority appointed unde r 
section 12: 

(/t) “deme graphic information” includes infomuuon velatuv, to the name, age. 
Gender and add csr. ol ar. individual (othei than lace, religion cave Nibc, ethnicity, 
lansuace, meorie or health! end such othei infonnation a< may )e specified m ilie^ 

v V 1 

regulations foi ihe purpose of *Soiung an aadhaai numbei. 

(f) “enrol ing agency” mean; an agency' appointed by the Authority or by the 
Registrars, as the case may he, foi collecting information under tins Act: 

(/) “enrolment" ineain sueu piocess, as may oe specified by regulations, to 
collect demographic inforni uion and biometric information from individuals by the 
enrolling agencies tor the purpose ol issuing of aadhaar nunibe; o such individuals 
under this Act; 


(k) “ident ty informal* >n” in i rspecl of an individual means bic metric infonnation, 
demographic ir formation and aadhaar numbei of such individual ;* 

(/) “Mem her" includes theChaupersim and a part-time Mem >er of the Authority 
appointed under section 1'!, 


(m) “notification” me ins a notification published in the Official Gazette and the 
expression “noified” with its cognate meanings and grammatical variations shall be 
:onstnied acccrdingly; 


(n) “prescribed" me?ns prescribed by rules made under this Act; 

<o) “Reg strar” means any entity authorised or recognised by the Au’hority for 
the purpose of enrolling tl* : trntri tduaJs under this Act; 

(;;) “mgilations” me ms the regulations made by the Aulhr lily under this Act; 

(q) “resident” means an individual usually residing in a vil age or rural area or 
town or ward u* demarcated area (demarcated by the Registrar General of Citizen 
Registration) v'ithin a ward in a town or uiban aiea in India; 

(r) “Review ConinuU x” means the Identification Review Ct minilteeconstituted 
under sub-sec!ion (/) of section 28. 
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CHATTER II 

A \DH Vd< NUMHFRS 

3. {/j-Every resident shall he entitled to obtain an aadhaar number ou providing of his 
demographic inhumation and biometric information to the Authority in such manner as may 

5 be specified by regulations: 

Provided that the Central Cuvet nmcnl may. from lime to time, notify such other categoiy 
or individuals who may be entitled to obtain an aadhaar nmnbc.. 

i 2) Ou »ceeipt of die demogi aphic information and biomeiiiC infoimr«tion undei .sub¬ 
section <75, the Authority shall, after verifying the iu'ornution, in such manner as uuy he 
10 specified by refutations, issue an aadhaat numbci to Mien icsidcnt 

4. d) An aadir.ai mtnihei, issued to an individual shah not be iv-ass’gneJ to an> 
umei individual 

< 2) An .i.idtia<n numoei stud be a random numbci and ixm no jttnbutes or nJcntitv 

* * 

data oi part thereof, relating lo the uadhaai nurnbcL holdci 

i5 (3) An aaduaai numbei shall, subject to authentication, be accepted as piool ol 

identity oi the udtwui numbei holdei. 

3. U) The AutJioniv shall j*cifoMi» emhcnrLaiiou of the .uidluici number oi* a aadmuii 
r.umbei holdei :u relat.ou to his biomcii icioiot niafion and demographic information subject 
to such conditions and ou payment of such Ices and m such maunei as may be ",perilled i»> 
^5 regulations 

(2) The Authority shall respond to an autbemicauon query with a positive or negative 
ic:,poa>e oi wild any Oihci uppiuprkuc iespouse excluding am dcmogiaplnc intbcmuiiuo 
and biomeUr* infot matron 

ti. Tlie aadhaar numlvii <» the authentication thereof shall not, by kseif, conlei any 
25 tight of or be p.oof ol citizenship oi domicile in resj^ect of an aadhaar numbei holder. 


7. The Authority may engage one oi more entities to establish and maintain the 
Central Identities Data R epos no i y and to perfouu any othei' Junctions as may lie speedier 
by regulations 

8. The Autltority may reejuire the aadhaai numbci holdci s to update then dcmogiaphit 
X) intomurion and biometric information, hum time to tune, in such manner as may be spec dice 

by regulations so as to ensure continued accuiacy of tbeii information in tbeCential Identities 
Data RejK»sitoi> 

9. The Audvorky shall not require any individual to give infoimation peiraining to in., 
luce, religion, caste, tube, eUmi-ity. language, income oi health 


$5 10. TV Authority shall take special measures to issue aadhaar number to women, 

children. Seuioi citizens, persons with disability, migiant unskilled and unorganised workers, 
nomadic tubes oi to such other prisons who do not have any permanent dwelling house 
and such other c&tegones ol nulividuaJs as may be specified by regulations. 


CHATTER III 

4 ) N \TlONAf iDFVIiFK \TION AlTHOWTV OF LnTHA 

U. (J) The Centra! Government shall, by notification, establish an Author it y to be 
known as' the National Identification Authority of India to exercise the powers conferred 
on if and to perform the Inactions assigned lo it under this Act. 
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Composition 
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(2) The Authority shall be a body corporate by the name aforesaid, I aving perpetual 
succession and a comm m seal, with power, subject to the provision 4 , of tin - Act, to acquire, 
hold and dispose of property, both movable and immovable, and to contract and shall, by the 
said name, sue or Lc ,ri ed. 

(J; The head oH'u c of the Autl only shall be in the National Capital Region referred 
to in clause of section 2 o< theN itional Capital Region Plmming Boa *rt Act, 1985. 

(4 iTnc Authority may, with t! ic pHoi approval of the Central Go vet anient, establish 
its offices at other piac is in India. 

12. The Author!t/ shall consist of n Chairperson and two part-tint i Members to be 
appointed bv (he O mr. il Govcnuiic.it 

IX TheGianperson and Men Jiers <J the Authority shad oe persons oi ability integrity 
and outstanding c.iUb c having experience and knowledge in ihe m; tiers reeling lo 
technology, govern wee, law.development, economics, finance, mariagem > nt, public affairs 
or administration. 


14. (7) The C hau person and ihe Me;nbeis appointed under tins Act shall hola office 
for a »ccm of three year from the d;uc on which tiicy assume office and shall be eugible for 
reappointment’ 

Provided (hat no person shall hold oftice as a Chairperson or Member after he has 
attained Ihe age of sixt/-five years 


Provided fur hei dial the Chai rpersen of the Unique Identification /.ut^ority of India 
appointed before Lite commencement of this Act by notification A-43011 02/2009-Admn. 1 
(V6l.ll) dated the 2nd J j'y, 2000 sh ill condrue as a Chairperson of the Authority under this 
Act for the icrni for which he had lieen appointed 


(2) The Chairper on and cvci v Member shall, befoie entering upon heir of r ice, make 
and subscribe to. an o.ith of office and ot secrecy, in such form ard in .uch manner and 
before such Authonty as may be prescribed. 


(J) Notwithsland ng anything contained in sub-section {/), the Chairperson oi Member 


Rcmovnl of 
Chairperson 
and Members. 


»nay— 

(n) relinquish his office, by gi\ mg in writing to (tie Central Go v eminent, a notice 

of not less than hirty days: in 

{ b ) l>e removed from h otfice in accordance with the provisions ol section 15. 

(V) The Chairperson shah nc*t liokt any other office during the pen od of holding his 
office in llie Authority as such. 

(/•) The salaries arid allowances pnvablc to, and the other terms and conditions of 
service of, the Clutirpc -son mid allowance* or rcriuucratior payab'c to pr rt-tirnc Members 
slial! besuch as may be prescribed: 

Provided Um£ the .salary, allowance? and the other terms and cotid, tions of service of 
the Chairperson shall not be varied to his disadvantage after his appointment. 

15. (/) The Cent: il Govemmt nt may remove from office llie Ciairpei son, or a Member, 
who— 


(o) is, or at any lime l.as been adjudged as an insolvent: 

(b) has box)me physically oi mentally incapable of acting as ihe Chairperson 
or, as the case may be, a Member, 

(c) has been convicted of an oflence which, in the opinion of th~ Genital 
Government, involves mora turpitude, 

(d) ha-, acc lured such financial or other interest as is likely to ? I feet prejudicially 
his functions as the Chairpe ;on oi, a*. the case may be, a Mcmbci, oi 

(<r) has, in the opinion of the Cent i at Government, so abuset his position as lo 
render his continuance in oflu'e detrimental lo the public interest 
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1 2) The C'hanpeison oi a Memner shall not be icmovcd mulct clause (V/j or clause U't 
oi sub-set u on f 1) unless lie lias been given a tcasonabic oppoiiunuy ol being heard in the 
mallei 


14. The Chunpeison or .1 Member, ceasing to hold office as such, shall not, without 
5 pievious apptoval of the Cenlta! Government.— 

t«*7 1 accept any employment in. 01 connected with »he management or 
adtnimsujuon ol, any pci son which has been associated with any \.*oik under the 
r\ci. tbi i jsenod ol lluee years tmiii Ihe date on which they cease to hold office* 


Resnicnou* ou 
Chairperson ot 
Members ou 
employ in z nt 
aftc cessation 
oi of nee 


ft) 


: o 1 ’VS) 


Pumded that nothing contained m this clause slul! apply to any employment 
undci u.e Ceiuial Government 01 a State Cfovernmcnt or local authority 01 ui any 
sratutoiy auihnnty 01 any coiporauon established by ot under any Central. State 01 
provincial Act or a Government Company, a j defined m action 617 ot the Companies 
AU IMN 


act. to: ot on behalf oi any peison 01 oiganisauon 111 connection with any 
45 spccui- preceding or uansaction or negotiation 01 a case to which the Authority is 

•• paitv and with respect to which tile Chairperson ot such Membei had, before 
cessation ot office. acted ioi or provided aJvice to. the .Authority. 

u » giv- ,k1\k e 10 a.iy person uvng informal !or which was obtained in his 
capacuy as the Clnnrpetsou or v Membei and being unavadaote to or .lot taring able 
20 to be made available to the public, 

(,/) enter, toi a period ot Uuee ye,as homhis last day in office into a contract, of 
seivict wiiti, accept an appointment to a bo.uu of directors ol, or accept an offer of 
employment with, an entity with whidi lie had direct and significant official dealings 
dining his term ol office as such. 

25 17. The Chairperson shall have povvcis of general superintendence, direction in the Tuuciioiis of 

conduct of the affans of U>e Audio* tly and lie shall, in addition to presiding ovei the niairpeuou 
meetings ot the Authority. and without prejudice to any of the provisions of this Act. 
i.xeicise aim di&chmgc such other powei* and functions ol the Authority as may be 
prescribed 

X) ! 8 . (/) 11 te Author itv shall meet at such times and places and shall observe such rules Meetings, 

of procedme m itgaid to the tiausaction of business at *»s itu-ciincs (including, quorum ac 
such meetings) as may lie specified by regulations 

(J) The Charrjiersou, ch. if foi any reason, he is unable to attend a meeting of the 
Authority, the senioi most Memi^er shall preside over the meetings of tlie Authority. 

35 (a) At! questions wtuch come up bctoie anv meeting of the Authority shall be decided 

by a majot ,rv of votes by the Membei $ present and \ oting and in die event of an equality 
of votes, rhe (‘lunpeisou 01 m Ins absence the Mcinbei presiding over shall have a second 
ot casting vote 

(V) All decisions of die Authoiity Shall be authenticated by the signature of the 
40 Chairperson oh any othei Member authorised by the Authority ir. this behalf. 

1 S) ft* any Member, who is a director of a company and who as such director, lifts any 
diiect or iudueupeeumaty iutacsi in any mallei coming up foi consideration at a meeting 
of (lie Authority. he shall, as soon as possible altei relevant circumstances have come to his 
knowledge, disclose Uvc nature of his interest at such meeting and such disclosute shall be 
45 recorded in (Ik proceedings of the Authority, and the Membei shall not take part'in any 
deliberation or decision of the Authoi ity with respect to that matter. 


19. No act or proceeding of ihe Authority shall be invalid merely by icason of— 

(</) any vacancy 1 . 1 , 01 any defect m the constitution of, the Authoiity; 

(61 any delect in ihe appointment of a peison as a Membei of ihe AuthoiUy; or 
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(c) any irregularity in (hr procedure ol the Authority noi affecting the menu ot 
(he case. 

20. </) There shal be v chief executive officer of the Authority, not Mow the i ank of 
the Additional Secrnlac\ to the Govt i nmenl of India, who snail be the Men ber-SecreUiry of 
the Authority, to be apf ointed by Um Genual Gove*nmenl. 

(2) Tlit Authority may. with the approval of the Central Govemnien:. determine the 
numoec. nature and categories of oM<: olTicers and employees required tc (lie Authority m 
the discharge of its functions. 

(.?) The snlatic® (iid ailownn. cs pnvablc to, and the other terms and conditions of 
service at, thecliicf txcc ativc officci and other officers and other employee of the Authority 
shall be such ns may be specified by rrguJatinis with the approval of tlle Ccn ml Government 

21. (/' The c'nei executive olhcer ‘.hail nt the Icaai representative of the Author'tv 
and shall he responsible foi— 

<r) ihe day-to-day admini .-(ration of (he Authonty, 

({,) i.npfeincn ing the wort piogi .mines and decisions adopted iy the Authority; 
(r) drawing u > of proposal for the Authonty‘s .vo;k programme : 

(W) the preparation of die d.Hemcnt of revenue and expenditure .mu the execution 
of the budge'of :he Authority. 

(2) Even- year, the chief executive officer shall submit to the Authori y lot approval— 
(n) a genual report covennp all the nctivme.. of the An thou y m the previous 

vear; 

(i b ) programmes of wotV: 

(c) the am ual accounts for f he previous yeai, and 

(d) the buc gel for the < miir.y year. 

(d) The chid executive officer shall have admini stiaOve conti ol ov r the officers and 
other employees of llm Authonty. 

22. On ancl from the establishment of the Authonty — 

(/) all the issets and Inbitities of the Unique Identification Authority of India, 
esUtbhsiied vide notification ol the Government oflndia in lire Planning Commission 
number A-430J l TO/2009-Admm.L dated the 28th January, 2009, shall stand transferred 

to. and vested in, the Aitthoi tty. 

— The assets c! such Unique Idemifica'mn Authority of India 
shall !>e deemed to include all ngiits and powers, and all properties whether movable 
or immovable, i icluding, in pariiadai. cash balances, deposils nnc all other interests 
nnd rights in, ot arising out of, sue h properties as may be in the possession of such 
Unique Identification Audio uy oflndia ancl all books of account and other documents 
relating to the Sc me; and liab f lilies shall lie deemed to include all debts, liabilities and 
obligations of whatever kind, 

(2) withoi I prejudice 1 1 the provisions ot sub-section (f), all dnta and information 
collected during enrolment, Gl details of authentication performed debts, obligations 
and liabilities ii curred. all contracts entered into and all matters and things engaged 
to Ire done by, villi oi for si oh Unique Identification Authority of India immediately 
before that day, for or in connection with the purpose of the said Un ique Identification 
Authority oflmia. shall be Jeemed lo have been incurred, entered into or engaged to 

lie done by. wit i or for, the Authority, 

(3) all sums ol money due to the Unique Identification Authority of India 
immediately before that dir, shall be deemed to be due to the Authority, and 


I 





a 


(4) all suits and other legal pioneerings instituted or which could have been 
niMilulcu by 01 against such Unique Identification Authority ot India immediately 
betoic that d.tv may be continued oi may be instituted by or against the Authority. 

23. t/j The Alt thorny shall develop the policy, proceduie and systems for issuing Powers and 
? aadhaai numheis to residents and perform authentication thereof under (his Act. imieiiou* or 

Auiliority 

(2) Without prejudice to the provision? contained in s^b-seclion J), the powers and 
iimctum.s oi* die Authority may. hurt alia, include all or any ot the following matters*, 
itameK.— 

in ) specifying, by initiation, dcmograpliic information and biometric information 
»o iVu emohnent for an aadhaai lumbei and the pixy esses foi collection and v i nncatiou 

[beieof 

*4 

\b) collecting demographic tnloLmauon and biometric intoimauon horn ni\ 
indiculu.d secUng an aadhaai numbej m stub mantici as mav he specified In 
legislation.*, 

k u) appointing iu one or more entities to opeiaic the Central Identities Data 

Repository: 

<</j generating: and assigning aadhaar numbers to individuals: 
pei forming authentication ot the aadhaai nunihci*. 

ij) manuaming and updating the mfonnation ot individuals in the C ential identities 
20 Data Repository in such mauuci as may l>e specific cl by t emulations; 

tv} omul inti and deauivahmt ol an aadhaar number md inhumation relating 
thereto in such nnuuiei as may 1* specified by regulations 

(/>) speedy the usage and applicability ot* the aadhaai manlier for delivery oi 
vaiious benefits and sen ices as max be provided by regulations; 

(zj specifying, ny regulation, the temis and conditions foi appointment of 
Re gist i ai s. emoilmg agencies and service providers and i evocation of appointments 
thereof, 

(,) establishing, operating and maintaining of the Central Ideanfu* Data 
Repository; 

\) (X) shining, in such rnannei as may l)e specified by regulations, hie infomuuion 

of aadhaar number holdets, mih that written consent, with such agencies engaged in 
delivery ol public benefits and public advices as the Authority may by order direct: 

<Jj calling lot inlonuiHioiv and lecoids, conducting inspections, inquiries and 
audit oi the ope i at ions foi Hie pui poses of this Act of the Central Identities Data 
35 Ref>ository, Registrars, enrolling agencies and otltet agencies appointed under this 

Act: 

specifying, by icguteuor, virions processes relating to ua:a management 
security protocols and other tecnnology sateguards under this Act: 

(//} specifying, by legulation. the conditions and procedures ior issuance ol 
40 new aadhaar itumhci to existing aadhaai* number holder, 

p>) levy and collect the fees ot authorise tne Registers, eiuoiling agencies or 
othet sei vice provider to collect such fees for the services provided by them under 
this Act iu such rnannei as may be specified by regulations; 

{p) appoint such conunittees may he necessary to assist tlte Authority in 
45 discharge of its functions foi the purjioses of this Act; 

<<yj promote icscaith and development foi advancement in biometrics and related 
atcas. including usage and applications of aadhaar numbers through appropriate 
median urns: 

(;) spccilying, by legulation. the policies and piactices tor Kegistrais, emolliua 
ip agencies and othei service piovideis. 
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(j) seUuig up factlilalion i.entres and grievance redressul mcchait sms forredressal 
of grievances of r :si<1cnls, Reidslrnrs enrolling agencies and other service providers; 

(0 sucl' other powers and functions as may be prescribed. 

(5) The Authority may,— 


(/t) enter in o c Memorandum of Understanding or agreement as the case may 
be, with Central Governmeri or .Stale Governments or Union teirilories or other 
agencies for Lhc pirpose of pei forming any of the functions in rclat on to collecting, 
storing, secumg or processing of infotmation or peribiming authe Uicalion; 


(/;) by noli ication, appoint such number of Registrar, engage and authorise 
such agencies to collect. Mom. secure, process infot minion or do mihenticadon or 
{perform sucl* other functions m relation thereto. 
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(4) The Authonh f may engage such consultants, advisors and other persons as may 
t>e required Tot efficient discharge of Us Innctio is under this Act on su h allowance., or 
remuneration and term, and conditions as may be specified by regulatiois. 15 

CHAPTER IV 

O lAN - ^ ACC oi ins AMD AI *DP AND ANNUAL RLFOXI* 

7A. The Central < Government i nay, after due appropriation nmdc by ] Parliament by lmv 
in tins behalf, mrke o file Authority, grants of such sums of anone g as Mie Central 
Government may thin k fit for beii ig utilised for the purposes of this Act 30 

25. The fees *>r re venue collet led by (lie AutJioi ily shall be credited U the Consolidated 
Fund of India and (he satire amount so credited be transfened to die Authority. 

26* (/) The Authority shall r lainlain proper accounts and other relevant records and 
prepare an annual statement of accounts i.i such form as may lie prescribed by the Central 
Go*eminent in consultation with (jis Comptroller and Auditor-Gcnerm ol India 25 

(J) The acctHinlr of the Autljority shall be audited annually by the Comptroller and 
Auditoi-General of Incia at such intervals as may lie specified by him an I any expenditure 
incurred in connection with such a id it shall Ik payable by the Authority t the Comptroller 
ard Auditor-General. 


Reunm and 
annual report, 
etc 


(3) The Compli oiler and Auditor-General and any person appiinted by him in 30 
connection with the a Jdit of the accounts of the Authority under this /..cl shall have the 
same riglus and privileges and authority in connection with such audit as the Comptroller 
and Audilor-fieneral generally ha-; in connection with the audit of Government accounts, 
and in particular, shall have Ihe lignt to demand production of books, accounts, connected 
vouchers npdoihc* do< uments and oapeis and to inspect any of (he office s of the Authority, is 

('f)The accounts of the Autlv inly, as certified by the Comptroller an l Auditor-General 
or any other person nj pointed by lim in this behalf, togeihei with the at dit report thereon 
shall be forwarded annually to tlr Central GoveinmeiU by the Author! y and the Central 
Government shall cause the audit report >o be laid, as soon as may be r ficr it is received, 

Ik fore each House of Parliament. 40 

27. (7) The Authority shall furnish to the Central Government at sue h lime and in such 
form ami manner as nay be prescribed or as the Central Government may direct, such 
returns nod statements and particulars in regard to any matter under the jurisdiction of ihe 
Authority, as the Cent ui Oovennr exit may from tune to tune requii e. 

(2) The Authority shall prep ire, once in every year, and in such for n and manner and 45 
at such lime as may te prescribed, an annual report giving— 

(ci) a description of all die activities ol the Authority for the previous years, 

{b) Ihe annual nccouris for die previous year: and 


(c) the pit grammes ol work* loi coming yeai. 




t 





13) A cup) of lhe icpou iccetved undo sub-section (2» shall he laid b> the Central 
Covei nment. as soon as may be aflei u is icv.cn cd bctoie each House of Parliament. 

CHAPTER V 

IULsim RhVUiW Co.MMll J'LL 

s 2H.(I) The Cential Government may. by notification constitute the Identity Review 

Committee to discharge functions specified under sub-sec don t )) of section 29 tn respect 

of anv mattei connected with the usacc ol the nadlinui number;. 

»* w 

The Review Committee stud consist of dnee membeis (one of whom shall he 
ehaiipeison ek ognated as such by ihe Cential (lovtimneui) who are persons of eminence, 
to .Unhtv. inteei it*, and standing m public life having knowledge and experience in the fields of 
technology, law. admimstialion and go^emancc, social service, journalism, management or 
serial sciences 

i») 1 he mcinbeis of the Uc*ic\v Committee shall be appointed by the Cential 
Government on the recommend.mans of a committee consisting of— 


i ■»» 


\a\ me Pi«nc Minister. wl>o nfiall l>c die Chmpeison of the committee; 

j i r hc LeaJci oi Opposition in the Lok Sablui and 

U ' a Union Cabinet Mimstei to tie nominated by the Prune Minister 

IwjAanauon — Fr»i the lemov at ol doubts, u is heicby declared that where the Lcadci 
ol the O^Aismon m the House oi die People has not been lecogmsed as such, the Leadci 

D ol the single hugest group in Opposition ot the (government in the House of the People shall 
he dee filed to be the Leadei oi the Opposition. 

( 4 ) Tile membei of the Review Committee shall not l>c a Membei of Parliament oi 
Membei of the Leashuuie of any State or H.uon icndioty, as die case mav he, or a niemter 
ol any political party. 

25 (5) The members of die Review Coaurduee shall hold otlicc tor a term ot three years 

uoiii me daie or. which they cntci upon office and shall not be eligible for leappointmeiv. 

iO) 'ffie Central Government may In ordei temove fmm office any member of th* 
Review Committee. who— 

tfi) is, oi at any dmc has been adjudged as an insolvent. 

X) t/>) has become physically or mentally incapable of acting as a membei; 

(( j lias been convicted of an offence which, in the opinion ol the Central 

Government, involves moral tuipuude, 

(d) has acCjlined such (ma octal ui other interest as is hkelv to afleet ptejudiciall) 

>us junctions as a membei. oi 

^ [e) lias, in die opinion of the Cential Government, so abused his position as to 

rcndei hu continuance in office deuinternal to the public interest: 

Provided that a Membei shall not be icinoved under elaiuc (d) or clause (e) unless he 
has been given a reasonable oppouuniiy of being hem cl in the matter. 

29. (/) The Review Committee shall ascertain the extent and pattern of usage of the 

4 ) audit uar uumters across tlie country and ptejiare a report annually in relation to the extent 
and pattern ot usage of the aadhaar numbers along with its recommendations thereon and 
submit die same to the Central Government. 

(2) The manner of preparation of the lepon referred to in sub-section (/) shall be such 
as may be determined b\ the Re\ ie\v Committee 

45 {3} A copy of the icport along with the lecommendations of the Review Committee 

shall be laid by the Cent ml Government, as soon as may be aftei it is icceived, before each 
House of Parh ament. 
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30, </) The Authority shall ensure the security and confident!?lily of identity 

information and authentication rccot ds of individuals \ 

(2) Tlie Authority shall take measurer» (including security safeguards) to ensutc thak 5 

t!te informal ion in l*ie possession or control of the Aulhorily (including ini ormaiion stored \ 
in tne Central Identities Data Repository) is secuied and protected agi.ns 1 any loss or \ 
unauthorised access or use v jiijiihorisrd disclosure thereof \ 

(3) Notwiths'and'.ng anythinr contained in any other law and save as otherwise 
provided in this Act. lli; Authority o< any of its officer or olliei employee oi nr»y agency 
who maintains the Central Tdenhhe Data Repository sh;«P n.M wnc there! i.irg his serv^v* 
as such or thereaftei, repeal any uifoi matioa shred in the Central Identifies Data Repository 
to any person* 

Provided that an radhaar nuir her holder may request die Authority to pro v ide access 
to his identity infoimat on in such ru.ni.ci as may be specified by ugulafors 15 

31. (/) In case tiny demogno ir information telating to an aadhaar tumbet holder is 
found ii •correct or changes subsequently, the Aadhaar number holder ..hall request the 
Autlion'y to alter such demography inlomiation in his record in the Centi il Identities Data 
Repository in suUi manner as may In specified by regulations. 

i 

(2) fn case any I icmetnc inhumation of aadhaar uunil>er holdet i. lost or changes 20 j 
subsequently for any jeuson, the ladhaat number holder shall request the Authority to / 
make necessary aherabon in his rtixud in the Ceidial Identities Data Repository ui such / 

manner as may be specified by regulations / 

* 

(.?) On receipt of any request under sun-section (/) or sub-section < 2), the Autliority / 
may, ifii is satisfied, make such alt/iatiou ns may be lequircd in me record i elating to such/ ?5 

aadhaar number holder and intimate such alteration to the concerned aadhaar nuinbe 
holder. 

/ 

32. (I) The Audi >nty shall n tuu un details of every request for aut lenticalion of/(he 
identity of every aadhaar number folder and the tesponse provided theicon by it in 4 uch 

manner and for such time as may P: specified by regulations j 30 

/ 

( 2 ) Every aadhau* number holder shall be entitled to obtain details of request for 
authentication of his aidhaar nuin cr and the response provided theieor by the/Authority 
in such manner as may be specific! oy regulations. / 

33. Nothing contained in sub-section (3) ot section 30 shall apply inspect of— 

(<i) any dt; closure oi iiiloimahon (including identity inform idem or details of 35 
authentication) made pursuant to an otdei of a competent court; c/ 

(b) any di , 1 closure of information (including identity information) made in the 
interests of national security in pursuance of a direction to that e feet issued by an 
officer or office,s not below ihe rank of Joint Secretary or jtqui valent in the Central 
Government specifically authored ,n this behalf by an orde^TheO ntrai Government. 40 

CHAPTER VII X 

( -FFEKCFS AST) PI*NAt.Til 



t^Whoever iir personates nr attempts to impersonate another per ton, v r hether dead 
or alive, rchkjorii naginary. by pru/idmg any^fiflse demographic information or biometric 
information shatT b<H Jt mi si tabic v > t (y imprisonment for a term which may extend to three 43 
years and with a ‘me which may rxtend to ten thousand rupees. 
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35 . Whorvei, with the intention of causing haul) or mischief to a and I mat number 
holder, oi wnh the intention ot appropriating the identity ot a aadhaai nuvubei holder 
changes 01 attempts to change any demographic information 01 biometric information of a 
aadhaai munbei holder by impersonatiug'or attempting to impersonate another person, 
dead oi alive, leal or imaginary, shall be punishable with imprisonment foi a tenn which may 
extend to thiee /ears and shall be liable to a fine which may extend to ten thousand rupees. 


Mi. Whocvei, not being authoi ised to collect identity information undei the provisions 
ot has Act, b> words, conduct oi demeanour pretends but he is authorised to do so, shall 
lie punishable with imprisonment foi a teirn which may extend to thiee year oi with a fine 
JO which may extend to ten thousand rupees oi in the case ot a company, wi'h a fine which 
may extend u one laid; tupecs or with both 

37 . Whocvci liueutionnlk discloses transmits, copies oi olheiwise disseminate^ 
any identity mfoimatioi. collected m the \xtusc o( emounent oi authentication to any 
peixon not authorised undei this Act shall be punishable with imprisonment foi a teim 

13 which may extend to tluec yeai s oi with a fine which may extend to ten thousand rupees ot. 
in the case cf a company, with » line which may extend to one lakh rupees or with both. 

38. Whoever, not being uu'horLcd by the Authority, intentionally.— 

(u i accesses ot seemes access to die Central Identities Data Repository: oi 
(/_>) downloads, copies oi extiacts any data from the Genua) Identities Data 
3> Repusiloty oi sloted in any icmovable slot age medium; or 

fr) miioduces oi causes «> be introduced any viius oi other compute i 
contaminant m the Genual Identities Data Repos uoi y, oi 

(d) damages oi causes to be damaged the data m the Genual Identities Data 
Repository Oi 

^ ( £ 0 Jisuipls oi causes disiupiion ot the access to the Central Identities Data 

Repository, jt 

(0 denies or causes a denial of access to any peison who is authorised to 
access the Central idenitues Data Repository; or 

( ? ) piovides any assistance ;o any person to do any of the ;icis aforementioned, 

30 or 

Mi) desooys, deletes oi alters any mformaium stored in any lemovable storage 
media oi m the Central Identities Data Repository nr diminishes its value or utility oi 
effects u injuriously by any means, oi 

u) steals, conceals, destroys or aUeis or causes any pci son to steal, conceal, 
35 desnoy or altei any lOinpulei souice axle used by the Authority with an intention to 

cause damage, 

slhtil l>c punishable with imprisonment to* a tain winch nn.y extend to tluee veins and shah 
be liable to a tine which shall not be less than one more mpees 

k\i>Unumou — Foi the purposes oi tins section, the expressions “computer 
4} contaminant”, * computei vnus ’ and "damage" shall have die meanings respectively 
t oi 2 ouo assigned to ilieni in the lUx^lw union to sectioii 43 oi the Inlormatiou Technology Act, 2000. 

y). Wltoesei, not being authorised by the Authority, uses oi l am pc is with (he data in 
the Central Identities Data Repository oi in any icmovable storage medium with the intent 
ot modifying nUoimaiionielating to aadhaai number hoklei or discovering any intormunon 
45 thereof stiall be punishable with imprisonment for a tcim which may extend to thiee yean, 
and shall be liable to a line which may extend to ten thousand rupees. 

40. Whoever gives or attempts to give any biometric information which does not 
peitam to him to< the put pose ot getting an aadhnnr numbci ot authentication or updating 
lus information, shall he punishable with unpi isonment fora teini which may extend to three 
50 years oi with a tine which may extend to leu thousand rupees oi with both 


Peiuliy for 
impersonation 
or oadluai 
number lioktci 
by changing 
demographic 
iuforiiiaiion 
m biometric 
uiionnaiioi* 

Penally Joi 
impersonal ion 


Penally lot 
cludOAing 
tJi ..lily 
in foi mad on 


Penally for 
unauthorised 
access to ihc 
CVuual 

Iduiitlm* Data 
Repositoii 


Penally foi 
tampering with 
tlala In CeuUal 
Kle-mtles Data 
Repository. 


Penally for 
manipulating 
biometric 
i ii foi mat ion 



< 1 t 



General 

penally. 


Offences by 
companies. 


Act <o apply 
for oflcucc or 
controveiuion 
committed 
outside India 


Power to 

investigate 

offences. 

Penul'ics not 
to interfere 
with other 
punishments 

Cognizance of 
offences. 


Power of 
Central 
Government 
to supersede 
Authority 





12 


41. Whoever, coir mils an offence nuclei this Act for which no peniity is provided 
else when: tfu.n in this se ;iior*. shall be punishable with imprisonment fora err.) which may 
extend to three years or vitli a fine which may extend to twenty-five thousand rupees or, in 
the ease of a company, with a fine w hich may extend to one lakh rupees oi with both. 

42. (7) V'hen an offence imetu this Act has been committed by a company, every 5 
person who at the lime the offence\v 'is committee was in charge of, and was responsible to, 
tlie company for the cor duct of the business of the comoany, as well ns tiv company, shall 

be deemed to he guilt) of the offence and shall be liable to be procee led against and 
punished accordingly: 


Provided that nothing continued in lhn> sub-section shall tender any such peison 
liable to any punishmei t provided m this Aci i( he proven that the offence was comuvtled 
w t thout Itts knowledge oi tint he ha -1 '-xeiciseri all due diligence to prevail the commission 
of such offence 


10 


(2) Notwithstanding anything contained in sub-section (7). wnere ai.y offence under 
this Act has been com nitted by a tompany and it is pro v ed thai the cfrcnce has been 
committed with the corsen! oi conn* vancc nf, uris attributable to, any neglect on the part 
of any director, manage \ secietary or other oflicci of the company, such cl rector, manager, 
secretary or other oflicet shall also l deemed to be guilt) of the offence a id shall be liable 
to be proceeded agair.s; and punished accordingly 


15 


Explanation-— Fji (he purposes oi this section— 

(a) “comp my” means any body corporate and includes a firm or other 
association of individuals; and 


(70 ‘cbrcctcr”, in rUatic n to a firm, means a partner in the firm 

43. (/) Subject. to the provisions of Min-section {2j, me p:cvisions oi this Act shall 
apply also to any offence or cot iravention committed outside India by any person, 25 
irrespective of his nationality. 

{2) For the purposes of sub-section (/), the provisions of this Act shall apply to any 
offence or conhaventi ?n commit! ,d outside India by any person, if the act oi conduct 
constituting the ofteno: or contravention involves the Central Identilies Data Repository 

44. Notwithstanding anythin!' contained in the Code of Criminal Procedure, 1973, 30 i j{ 1974 
apolice officei not l>elc w the rank o Inspector of Police shall investigate any offence under 

this Acl. 


45. No tenuity mposed un< ei ihi? Act dull prevent the bnposi ion of any other 
penalty or punishment undci any other law fot the time being in foice. 


4(>. ( l) No court .hall take cr gnizance of any offence punishable ur der this Act, save 35 
on a complaint made ty the Audio ity or any officer or person authorise I by it. 


(?) No court inferior to that of a C hief Metropolitan Magistrate o. a Chief Judicial 
Magistrate shall try ary offence punishable under this Act 


CHAPTER VU] 

MtSt LL LAN LOUS 4} 

47. (7) If, at any time, the Central Crovei nment is of (he opinion,— 

{a) that, on account ot :ircunistjtices beyond the control of the Authority, it is 
unable to discha gc the func ions or peilorm the duties imposed on il by or under the 
provisions of th s Acl, or 


/ 


X 


{/') that the Authority has persistent!) deJauhcd in complying with rmv direction 
given by (he C cnu*al Goveminent undei this Act oi m the discharge of the functions 
gj pci Id mance of tilt duties imposed on it by oi undci the provisions of tins Act pud 
as a result ot such default the financial position of ihe Authority oi Me administration 
ot the Authority has suffered, or 


to do. 


{') that circumstances exist which icndci it necessity in the public interest so 


fhcCemuI Government may, by notification, supersede die An clioniy foi such pcuod, not 
exceeding six months, as may be Sj.cut.ed in the notification and appoint a person or 

10 Prisons as the Piesidcnt ma> dueu to exeiosc now us and dtschnige functions undei ibis 
Act 


1j 


U 






IN LI I ill IV siuh notification, the Ccntird Govcniment shall giw 
*' tcasOuablc opportunity to the Autbonry to nuke lepmseiiunons against the p:Oposed 
vupei session a no shall cmismci uic itpiesemaduns it anv ot the Authority. 

< ?) Opoi Hie public.nion m a notification undei suh-sccimn ( 1 ' superseding the 
Anthoi it\.— 

u/) the Out*petson and othei mnnbeu shall, as fiom the date of supersession. 
v< ( ate th^ti offices as such. 

CM the poucs. functions and duties which may, by oi undei die piovisions 
ot this Act. be exeicised cm discharged by oi on behalf ot the Authority shall, until the 
An thorny is leconstituted under sub-section (a), be exeicised and discharged by the 
jieison oi peisons icfencd to i** subjection (/}, rnd 

u ) all properties ow ned or conn oiled by die Amhoi it) shall, until the Authouty 
is leecm diluted undei sub-section to;, vest in die Central Government. 

l-O On or he foie ihc expration of the period of supci session specified in the 
notification issued undei stih-s^ction (J >. ihc Central Government shall reconstitute the 
Audiouty bv .. fiesn appointment, of its Oluirpeison and othei members and in such case 
ary person who had vacated bis office undei clause (</) ot sub-section < 2 ) shall not be 
deemed to be disqualified lot re.tppoiinineiu. 

< 4 ) The Ccnuai Government shall cause j copy o f the no'ifixation issued under sub¬ 
section (J) and a lull lepoit of any acdou taken under this sec 1 ion and the circumstances 
leading ro such action to be laid befoie each House t f lAiuiameni at the earliest 

4 K. The (‘hanpeison, Members, officeis and other employees of the Authoiity shall 
be deemed, wndc acting oi pin potting to act in pmsuance of an\ ol the provisions of this 
»i irfoo \5 Act. 40 lie pub he <ei rants within ihe menu ;g of Suction 2 1 of the Indian Penal Code 

49 . Without prejudice m ihe fotegoing provisions of this Act. the Authoiity shall, in 
exercise of its powers oi the petlbnnaiice of ns functions undei this Act be bound by such 
diieotk'ns on questions ol policy, oilier than those relating to technical and administrative 
matters as the Central Government may gri e. in writing to it, fiom time to time* 

40 Provided that the Autlxirity shall, as far as practicable, he given an oppoitunny to 

express its views before any duechon is given under this sub-section, 

( 2 ) TJie decision of the C entral Government, whether a question is one of policy oi 
not. shall be final 


at) 


Members, 
offuus, etc 
lo be public 

See JIKS 

Power ot 
C'ctmal 
iioveiumeiu 
to fisiiie 
Jirecuoiw 


50. The Authority may, bv general oi special oidei in writing, delegate to any Member, 
^15 officer ol (he Authority oi any othei person, subject lo such conditions, if any, as may be 
Sj>eeified m the order, such ol us powers and Junctions undei tins Act (except the jxiwei 
under section 51) as it may deem necesstuy. 


Dclc-ulioi) 
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51. No suit, prosecution or other legal proceeding shall lie agaif si the Central 
Government or the Audi jrily or (he Chairperson or any Member ot any c fficer. or other 
employees of the Authority for anyth ng which is m good faith done or intended to be done 
under this Act or the lule or regulation made thereunder 

52. (/) The Contril Government may, by notification, make rules 11 cony out the 5 
piovisions of this A^ t. 

(2) In particular. «rd without pi ejudice to the geneiality of (he forego ng powe r , such 
rules may provide for all or any of the lollo'vmg mailers, namely — 

(rt) the form and aianuci m which and the Authority before whom the oath ol 
office and of secrecy is to be subscribed by the Chairperson and Men hers under sub- 10 
sed Kin (2) of sect, on 14: 

(b) the .^ala»y and allowances payable to. and othei lenns and conditions oi 
service of. the Chi irperson ;n< the allowances or remuneration payable to Members 
of (he Authority imdci sub-sec ion O') of aeci«on 14; 

(c) the other powois am' functions of the Chairperson o> (lie Authority under |5 
section 17; 

(d) the othc powers ami functions of the Audioiity under ci.uise { t ) of sub- 
section (2) of section 23; 

(c) the lonr of annual Malemcnt ol accounts to ne ptepaied by the Authority 
under sub-seciion (/) of iecli m 2d, 

( f ) the form and the mtnnei in which and (he lime wilhin w nth returns and 
statements and particular aic to be furnished umJe. sub-section (/* of section 27; 

(g) the foriT and (he nu unci and (he lime at which (he Audio ity shall furnish 
annual report under sub-seed >n (2) of action 27, 

i 

(h) any othc r inatier winch js u*quii ed to '>e oi ma >' be, presen >ed. oi in respect 25 
of which provision is to lie or nav be* made by rules 

53. (/) The Aulh< rtly may, In nodfieation, make regulations consist enl with this Ac! 
and the roles made theieunder. for /airying out the provisions of (his Aci 

(2) In particular, and without [ icjud'ce to the gcneraliiy of the foreg )ing power, such 
regulations may provid: for nil or any of the following mat ten. namely.— 30 

{a) the biometric information mulci clause (e) and thedemogr; pi tic information 
under clause {//) )f section 2 

( b) the process of collecting de aociaphic information and biometric information 
from die individuals by enrolling agencies itndei clause 0) of section 2; 

(c) the manner of furnishing the demographic informaticn and biometric 35 
information by die resident under sub-section (/) of section 3; 

(r/) the mwi tier of veufying (lie demographic information and biometric 
information for issue of aadlitar nuinbei under sub-section (2) of j action 3; 

(e) the coi ditions, fee% and manner ol aullienticalion of th* uadhaar number 

under sub-section (7) of sec .on 5. 40 

(/) the othor functions <o lie pet famed by Central Idenliliej Data Repository 
under section 7; 

(g)the mat met of updalmg biometric infonnalion and demographic information 
under section 8; 

(//) th< oth ir categoric . of individuals under section 10 for w! io:n the Authority 45 
shall lake special incasutes oi issue of aadhaar numbei; 
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{/) die lime and places of meetings ot ihe Authority and ihe piocedure foi 
honsacnon oi business* io be followed by it (including ihe quorum) under subjection 
ii) ot section 18, 

( j) the salary and allowances payable co, and othei leans and conditions of 
5 service of, the chid executive office;. officers and other employees of the Authority 

under suo-section (3) of section 20 . 

</;) die demographic information and biometric inform., lion and process for 
tlteir collection and vci ificr-noa undci clause [n] and the manner ol their collection 
uodei clause U>) of sub-section (2) ol section 23: 

Ki (I) the .manner of maim anting and updating the infoi .nation ot individuals in the 

Cenkul Identities Data Reposnoty undei clause U) of subjecti an (2) of section 23. 

twMhc manner ol omitime a.xl deiulivatine cn aadhaarnumbii and mformauoii 
\Hating thereto undei clause (*; ot suh-secimn (2) of section 23, 

m) die usage and dfphcabdkj ol tht aadhaai numhei foi dchveiy of vnuous 
13 benefit and sc. vices unde, dense (7/j of sjh-sech.m (2) of section 23; 

{o) Uie tetms and omdutoab foi appointment of Regisharv emolline agencies 
and othei seiviec providers a;id tire ievocation of appointmenu thcieofuiiderclau.se 
{<) ot >.iih section ( 1 M of sc« cion 23, 

;/») Hie nuniiri ol sinning infconatiou of aadhaai nu*ur>ci holder under daj.se 
30 (ki of sub sechon (2) of section 23. 

{/j) vanous processes idating to u.ita management, steuntv piotocol and other 
'ethnology sategmuds undci clause {w) of sub-section (2) ot section 23. 

0 ) die procedure lot issuance ol new aadhaar numbei to existing aadhaar numlrei 
holder under clause (n)ot sub-scunm i2) ol section 23; 

>5 {s\ nvmnei ot authorising Registrar, enrolling agencies or other services 

ptovtdeis to collect such fees toi services provided by them under clause (o) of sub- 
v^tion tl) ol section 23. 

in ,*»licres and p» acticcs to be loll owed by the Registrar, emailing agencies and 
other service pirn ideis under clause (rj of sub-section i2) of section 23; 

j) (i«) the allowances oi reimmeutioii anu terms k uul conditions of consultants, 

advisors and othei jiersons under sub-section (7) of sect ion 23: 

(i*i the manner in which an aadhaai number holdet can access his identity 
information undci sub-section of section 3th 

(n; (tie manner ot alteration ol demographic information under sub-section (/) 
35 and biomeipc infoi manou under sub-section ( 2 ) of section 31; 

ta) the manner ot and the lime for maintaining the details ol tequesi lor 
iHUhentiCvit'on and the respoure firereon mnlei *ub section (2) of section 32* 

(v) the manner ot obtaining, by ihe aadhaar number holder, the reeoids of 
request tor authentication of his aadhaar mnnhei and response thereon under 
do sub-section (2) ot .section 32. 

(r) any-ocher matter winch is tequii ed to be, ot may be, specified, or in respect ot 
which provision is to he oi may be made by regulations 

54. Every rule and every regulation made under this Act shall be laid, as soon as may 
be after it is made, before each House of i’arliamciu. while it is in session, fora total period 
45 of thirty days which may be coiupi ised m one session or in two oi more success ve sessions, 
and if, before lire expuy of the session immediately following the session or the successive 
sessions aforesaid, both Houses agree in nuking any modification in the tule oi regulation, 
oi both Houses amee that the rule oi regulation should not be made, (he rule or regulation 
shall thercaltei have elteci onh in such modified form or be of n< > effect, as the case may be; 
5 U so. however, dial any such modification oi annulment shall he without prejudice to the 
validity of auvthing previously done undci that rule or regulation 
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55. Tlvc protisiots of this A< 1 shall be in addition lo, and not in derogation of, any 
other law for the time teing in tore*' 

56. (./) If any difliculty arises in giving effect to the pi ovisions of tit * Act. (he Central 
Govemuieti' may, by older, publuhed in the Official Gazette, make su it provisions not 

in cons is tern with die p ovisions of riiis Art as t.uty appeal to be necessary for removing the 5 
difficulty. 

Provided that no such order shall be made under this section after :he expiry of two 
years front the corune icemeni of this Act 

(?) Every older made undei (his section shall be laid, as soon as may be aflei il is 
made Wore each Hoi se of Pa, li at 11 <:nt 10 

5 7. Any tiling do* e or any acli* m t<*kt n by the Central Govern n*.ep.t un iei the Resolution 
of the Government of l idia. Ptaninnc Commission bearing notificat ion nu 1 noer A-43011/02/ 

w c 

2009-Admin.i, dated lie 28th January. 2Q0A shall he deemed to have b cn done or taken 
under the correspond! ig provision. > of this Ac 1 


n 

O 
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STATEMENT OF OBJ Ef.TS AND REASONS 


TlicCcnir.il Government had decided ro issue unique ideindication numb<-i$ to all iviidniti m 
InJiu and u> certain othei pcr>on<. The scheme 01 unique identification i*i\ lives e oh ecu on ol 
demogtaphic mioi illation amt biuinelitr luiotiiLUion fiom individuals lor the purpose of issuing of 
unique tdenofieaeou numbcis to such individuals '! lie hmiucmc uilonih'tion would involve taUu g 
n( :i set o- biological atltibuies ol such irdividu.iU 

2 Hie Cciuial Govemmem. fot in. pu.poses ol issue ol the unique identification uumlvis. 
lOiiiHiuHcd, w./e it* notification dated the 2Sth J.muaij 2009 being of executive m nmuie. tlie 
Unique Uenutnation Autbomy ol India, which i- at piescni Irnctiomn* undei the Punning 

l ‘umin'SsKat 

\ It I as oecu obsuved and assessed that die issue cf unique identification number: uui) 
imulvc ccilam issues, such asfa* wmt\ and confideimalry of mfouiuUioiu imp vtiiion ot obfigatimi 
(.■: disclosuic ot irfotutaiion >o collected mcetUiu wises ^bl impet souauou by ecjtain individuals at 
die tunc of emohuem. loi issue ol utuqtic tdcntdleaucu numbei s, (c) unauthoiis*‘d access iu the 
C'-tmal Idei.t.tK*' Data Roxsiituy, idi uidiupitl ntott of biomenic iitioiiu'lion, (el investigation of 
vCKaui in..* cotisa'uuug oft cnee, and (ft rnaudiotisc-d dUJrr.uic of the intounatu-n collected lot the 
puqxises of is mu- ol rite unique u’eimTwU.on uumbeis wliK'li sltould be uddicsscd by law anti attract 
penalties 

4. In view of die loicgaut" p ua*.iaph, it has been k*!t necessary to make the ‘.aid AuUtorily :is 

a statutoA authority ioi carrying out the Umetious ol issuiug i dent die at ion numbers to the residents 

iu India in ane license manner ft U, riteicioie, proposed to enact die Naiion.il Idcimncauon Aotiio.iiy 

of India Hill, 2010 to piovide for the establishment ot the National Identi lira non A.u(l tot it) of India 

lot rite jmipost ol issuing idciuifieaucm numbei > tv. Inch has beet* referred to as nadluai numbe,) to 

individuals lestdmg in India and to certain other chides of inch viduaK anti manner of ami km ilk anon 

ot sue 1 ! individuals tn facilitate access to benefits and services to such individuals to winch they me 

•* 

at tdlcd and lot mutters connected riiciewHh oi n.cioental tlteictn 

3 Tue Nj'khi.H identification Authoiit) ul* India Bill, 2010 , i/«e; olio, seeks to piovide— 

in) ioi issue ol a.idhaar numbers to e\ety uddeni b\ the Auritority on ptovidnig Ins 
demographic tnfoutianon and btomvuic mlotmafion to it in suen man i-n as may be specified 
by regulations. 

(b) foi authentication ol rite audit am numbci oi an aadluru. numbei holder iu telation to 
his biometric itUbuturikni and dcmogianhic information sub|rot to such conditions and o.i 
payment i»l such I vs as may tv specified bv l eg u tail cuts; 

(<) lot establishment oi the National klcittificatiuu Authority of India consisting of a 
Cluupeisou and pvo pail-lime Meinbets. 

Oil that tin Audio my to cxeicis. puwvis and utschm?-' functions which mier olu\, 
include*— 

(/) specifying tite demographic iufounaiion and biometric iiifoimation tor 
ciiiohueiM Cor an rtadhaat numbu and the processes for collection and verification 
dteicol. 

(//) collecting demogiaphic information and biometric iniormaiion fiom 
;ui\ hKlivkhmi seeking an aadhanr numbei in such manner as may be specified 
bv regulations; 

(///) appointing of one oi mote entities to opeiate the C'eniral Idenfitiei 
Data Repository; 

(/u) maintaining mid updating the infotmillion ot individuals in the Central 
kictUriies Daia Rcposiioiy in such manna as may be specified by regulations; 

trj specify ihe usage and applicability of the a ad 1 mat numbei foi delivery 
of vanous benefits and seivices as may be piovided by legulanoiis; 
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(c) lhiH the Authority shal! not require any individual lo g ve information 
pertaining to inis race, reli .lion. caste, tribe, ethnicity, language, treome or health; 

If) (hat 'he Authority mav engage one or mote entities lo establish and 
maintain the Central Ident ; ties Data Repository and to perforin air other functions 
as may to specified by regulations: 

(, > ^ consliiution ot the Identity Review Committee coi listing ot lliree 
member., (one of whom shall he the chairperson) to ascertain the extent and 
pattern of us tge of the a.dbaai numhet* across the countiy and prepare a report 
annually it. icla'ion to tin: extent and pattern of usage of the a tdhaai numbers 
along with its recommendations theieon and submit the sanv lo the Centra. 

Oo'*criu rent, 

(/;) Uist Ihc Authoiilv shnh laKe incisures (including sea rry siitetauiids) 
to ensure 'tiat the information in the possession 01 co.iliol <-l 'he /'uti.oriu 
(including irfcrmation Mined in the CcntnlIdentities Dai; Repo .doty) is ‘ -cured 
and proiecltd against any loss or unau(housed access or use or unatuhonsed 

disclosure t lereof; 

(i) fa cftences mid peoall'cs fo. contravention of the ftovi,;ons of the 
proposed legislation 

6. Tlie notes oncliuses explain in detail toe varous provisions cent; med in the Bill. 

7 I7v Rill seeks 'o achieve the above objectives. 


New Delhi; 

7710 Mi Nowmbcr, ItOlC. 


MAN viQHAN SINGH 
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AtJ/i’i on (Ittiisi’i 

Ckmse 2 —This dnuse contains definitions oieeiuin wmd; and expressions used in 
H>e pioposed legislation. These definitions, inter altn. include the definitions of “aadhaar 
number’*, “aiuheiuicatinn \ “Central Identities Data Kepositoq ” demographic informa¬ 
tion". identity information". *‘i evident". “Review Committee" etc 

Oau.se 3 — Tlus clause piovides for entitlement to obtain an aaJhaai numbei by even* 
resident It proposes that every icsidcni shall be entitled to obtain an aadhaai number utter 
providing his demographic mfoimatron and biomciiic mlormation to the authority in such 
manna as specified by tcgulations it tun her pi ovules that the Central Gov eminent may tiom 
time to time nob f> die other l aicgory of individuals who may be entitled to obtain an aadnanr 
uumnei U also provides that r he Atuhoi uv alter veiilying Lite demographic information and 
hiometnc information piovided by the icsidem, issue an aadhaai immhei to such resident 

r unisc 4 This clauie deJc \vi f h t!ic piopcities of uudluUa m.nibu It piovide.s that 

aadhaai numbei issued to an individual shall not be re* assigned to anvothei individual 
it shall be a random number and bcai no mitUxKes o»• identity data lclating io the aadhaai 
nmnoei holdei. it fuHher pun ides that the aadhaai number can be accepted as pi oof of 
idem it) o f its holdei but .subject io uuilveiuicaiion. 

( Tune 5.—Tins clause cmpowei * the A mhcnil) to pci torn i authentication ol the aadli.ua 
nuiTihci c.i a :.adh wuumbei holde* iraeTiioiitolus biomcinc information and demographic 
miotmntion subievi to such conditions and on payment of such fees and in such inannei as 
spculied by regulations ft funhe: empower .he Authority io tesnond to an authentication 
querv wdh a jxisuive oi negative tesponscoi with anvothei apptopinite lesponsc excluding 
an; demography udonmnoii end biometric mtoinudon 

Clause 6—Thi-> danse Ju>s down mat the aacllin.ii number oi the authentication 
thereof shall not, by itself, confer any right of oi be pi oof of citizenship oi domicile m lespect 
of an aadhaai munbet holdei. 

Chiusc /—Iks clause empowcis die Authority to engage one c* inoie entities r o 
establish ami mainiam (he Centra! identifies Dab. Repository and to pci form any other 
functions as piovided under regulations 

Clause fc! — Tins clause deals with die updating of the demographic inhumation and 
niometuc information of the andluai numbci holdei s. fiom lime to finic. in such mannet as 
specified by regulations so as io cnsuie comiuued accciacy of their information in the 
Central Identities Data Repository 

C inuse 9 —This clause prohibits the Authority from lequinng any individual to give 
infomuuion jwuaming to his race, ictigiou, caste, tribe, ethnicity, language, income or health 

Clause 10—This clause empowcis the Authority lo take special measures to asue 
aadhaai numbci to women childien. semot citizens, peisons with disability, migiant un¬ 
skilled and unorganised woikeis. nomadic tubes ot lo such othei pci sons who do not have 
any petmanent dwelling house and such othei categories of individuals which are specified 
by regulations 

Clause il — Tins clause piovides foi esuibLsmnenl of the National Identification 
Authority of India, by the Central Government, to exeicisc ihe poweis tonfeired on it and to 
perform the functions assigned to it undei the proposed legislation The stud Authoniy shall 
be a bod) corporate, having |KrtpciuaI succession and a common seal, with power, subject to 
the provisions ot the ptoposed legislation, to acquire, hold and dispose of pmperty, noth 
movable and immovable, and lo contract, and shall, by the said name, sue oi be sued. It 
fiuthe* provides ku* die local ion of the head office of the Authority in the National Capital 
Region and wkh the prim appioval of the CenUal Government, to establish its offices at othei 
places in India 

Clause 12 —This clause lays down the composition of the Authority consisting ot a 
Ghaupcison and twopiul-hme Members to be appointed by the Central Government. 
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Clause 13.—This clause prov dc:s few qualifications for appointment of Chairperson 
ami Members of the Authority. It provides (hat persons of ability, integrity arc! outstanding 
calibre having experience and know'edge m the mailers relating to technology, governance, 
law, development, c« : 011 c mics. finance, management. public affairs or administration shall be 
qualified as Cliaiqx r >or and Members of the Authority. 

Clause 14 — This clause provides fro leini of office and other conditions of service of 
Chairperson and Members. Il provide* that the Chairperson and the Members shall hold 
office for a term ol 'Ime years front the dale on which they assume ofice and shall be 
eligible for reappointment. It also provides that (he Chairperson or Memhei of the Authority 
shall not hold office as uich after hr has attained the age of sirty-fr e yea s 


It also provides that the Chai oeison of the Unique Identification Authority of India 
ap|xinted before die commencement of the moposed legislation by notifies turn A-4?(hl/02/ 
2009-Adnm.l <Voi.U) :Ued the 2nd . tuy, 200') shall connnue as a Ch.vjpei son of the Author¬ 
ity unde' the pmjxised egirlation ft »r the term fro which he had been app- tinted 

It also provides t int the Chail person aiKl every Member shall, heft re entering upon 
(lieu office, make and subscribe to. an oath office ami of secrecy, in such form and m such 
manner and before such Authority is mav be pie sen bed. 


It also pro vide. > 4. »at noiwithsMtidmg anything contained iii rtT-davse (1). the Chair¬ 
person 01 Member may relinquish hi.; office, by giving in writing to theCci ual Goveinment, 
a notice of not less tha 1 thirty day? or be removed from his office in ac< ordance with the 
provisions of clause 15 It also provKles that ilic Chairperson shall not hoi I any othei office 
during the period of lidding Uicir o i3F ice hi the Authority <.s such 

It also provides that the salaries and allowances payable to, and th : other leans and 
conditions of service of, the Chaiqierson and allowances or remuueratio 1 payable to part- 
time Members shaU be such as may be pre'eribed by the Central Govemro ml but neither the 
sauuy, allowances poi he other leu is and ccndriuns of service of Tie CTi.iirpei>on shall be 
varied to Ins disadvantages after hi> appointment 


Clause 15.— This clause provides lor removal of Chairperson aim Members of tne 
Authority. It provides t iat the Cent a! Go\ ei nment may remove from offii e the Chairperson 
or a Member of the At thority on any of ihe grounds enumernted in tins 1 lause. 


It further provid ;s that tlie ( hatrpeison or a Metnl>er shall not be e moved from his 
office <n the grou ids jpecified in tern (d) or (e) of sub-clause (1) unless fie has been given 
a reasonable opportunity of being heard m respect of those charges 


Clause 16.— Tt" is clause prohibition as to holding of offices by llv Chairperson or a 
Member on ceasing to he such Chairperson 01 n Member of the Authority. It provides that on 


ceasing to hold office, the CJuuqpei son 01 Member of the Authority, as the case may be. shall 


subject to the provisions of the proposed legislation, lie ineligible, foi furl! cr employment in, 
or. connected with the management or admumh alien of. any person whk h has been associ¬ 
ated with any work undci the Act, tot a penod of lluee years. It also prov des that the clause 
shall not apply to any imploymen 1 under die Central Government or a St ite Government or 


local authority or in a ly statutory authority ot any corporation established by or under any 
Central, State or provincial Act or a Government Company, as defined ir section 617 of the 
Companies Act. D5<5. 


It also provides prohibition *0 act. lot or on behalf of any person ot organisation in 
connection with any sxcific proceeding 01 transaction or negotiation or 1 case to which the 
Authority is a party and with respect to winch the Chairperson or such Member had. before 
cessation of office, a;tcd for or provided advice to. the Authority: to jive advice to any 
person using information which vms obtained in his capacity as the Chairperson or a Mem¬ 
ber and being unavail tbie to or not being able to be made available to the public; lo enter, for 
a period of three years from his la »i day in office, into a contract of sen ice with, accept an 
appointment to a boai d of director * of, 01 accept an offer of employment with, an entity with 
which he had direct and significa it official dealings during his term of 1 Ificc as such 


r 


21 




Clause 17 —Tins clause lays down the functions ol the Chau pci son. U provide* that 
the Chaupeisou shall have powcis ol general superintendence. daeclion in ihc conduct of 
the atlnus ot ihe Authority in addition to piesiding ovei the meetings ol the Authority and 
without piejudice to any of the piovisions of the pioposed legislation, to exercise and 
discharge such powcis ami lunctions of the Authomy as may be prescribed. 

Clause ltf — This clause empoweis the Authority to dcleimine the procedure for the 
tiaasuaion ol husiness in ns meetings including furies and places of such meetings. P 
provides dut thr Chau pet son. oi, i( Ibi any leason, he is unable t > attend a meeting of the 
Authority, the ,caio. most Member dial) pirside osei die meetings of the Authority. 

li further provides Unit all questions which come up before any meeting of the Autlioi- 
ity shall lie decided by a majority of votes by the Members piescm and voting and m case of 
an equality ol \*»tes, the Chanpeison 01 m lus absence the Mcmbci picsicimg ovei shall 
have a second "i casting “ole and all such decisions of the Aiuhoniv shall !)c authenticated 
in ihc signature or the c hr .person ot «un other Mcmoci .aKhon^d by the Authority in dm 
IndutH 


It also piowdcS that any Meinliei, who a duectoi of a company and .vlui as such 
tine cum, has an, detect 01 indued pecuniary iiucmst m any mauei coming up tor consider¬ 
ation M a meeting of die Authority he shall. as soon is possible altei relevant circumstance*: 
have come to his knowledge, disclose the naiuu of his inleiesi at such meeting and such 
disclosure sliall t»e lecoided m the pi deeding* of the Authority, and tiie Member shall no: 
take part in any deliberation cn decision of the Authority with resoecl ro that matter 

Clause is 1 —Tins clause enumeiates live cueuinstances under which die acts or pio 
ceedtmis of the AtHhot *ty sliall not tie mvahdated It pio\ ides that no act or proceeding of 
the Authority sliall Ik; invalid metcJy by leason oh any vacancy in, or any defect in the 
constitution of, ihe Authoi ity. . ny delect in tire appointment of a person as a Member of the 
AutlKincy; ot any inegulaniy in die |»*occdure of die Authouty not affecting die meats of 
the case. 

» 

Clause 70—Tins clause makes provision lor appointment ot olficcis and otliei 
employees ol Authority It piovides for the appointment of a chief executive otficu of ilk 
Authority by the Central Government, w !k; shall act as die Mcmbei -Seonetniy of the Authority 
it also provides for deteimining (he munbci. nacuie and categories of other officers anc. 
employees requited to (lie Aullionly in die discharge of its functions 

ft also ptowdes ioi tile determination of tlie salanes and allowances and the olhci 
terms and conditions of seivicc of the emef executive oJ'ficei and othei officers and otliei 
employees ol Hie Authority lay icgulauon with the approval of the Central Government 

Clause 21.—This clause lays down functions of the chief executive officer. The func¬ 
tions uf llic clue! executive office i, who shall l>e die legal icpi esc mauve of the Authority 
mu', aiUu shah be die day-to-day admunsii alien and implementing the woik piogmmiue.*- 
a t *j decisions adopted by (lie Authority: di awing up of proposal for the Authority's work 
programmes, the preparation of the statement of revenue and expenditure and the execution 
oi (he budget ot the Authority, submitting every year a geneidl report covering all the 
activities of Ihc Authoniy in the pievious ye.u and programmes of work; mul Ihe annual 
accounts few tlte pievious yeai and the budget fot the coming ye at. 

it further lays down that the chief executive officer shall have administrative conuol 
ovei tite oilWis and othei employees of the Authoniy. 

Clause 22.—This clause makes piovision for transfer of assets, liabilities of the 
Authority It provides that on and liom the establishment of the Authority, all the assets and 
liabilities of live Unique identification Authoniy of India, established vide notification of the 
Government ol India in the Planning Commission number A-43011/02/2009-Admin.I, dated 
die 28th January, 2009, shall stand nansfened to and vested in the Authority to be estab¬ 
lished undei the pioposed legislation 
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It further provide* that all dal? and information collected during euro mem, all details 
of authentication psrforned, debts, obligations and liabilities incurred, all onliacls entered 
into and all matters and .hings engaged to be done by, with or for such Um< ue Identification 
Authority of India for cr in connect'd! with the put pose of the said Unicue Identification 
Authority of India, sha I be deemeo to ha\e been incurred, entered into or engaged to be 
done by, with or for, th< Authority nid all sums of money due shall be deemed to be due to 
Uk Authority and all suits and olhe legal proceedings mstitu'ed or which could have been 
instituted by or against such Uniqu 1 kien’ificalion Aulhonty of India may be continued ot 
may be instituted by cr against the Authority. 


Clause 23.— Thi 1 clause lays down die powers and Junctions ot Authority. U piovides 
that the Authority sha 1 develop hie polity, procedure and systems foi issuing aadhaai 
lu.mber.s to residents ai d pei (orm ? Khenlication theieol undei this Aci II further specifies 
the powers and functions of the \u riant) vm.h, mu r oho include, spec fynig, by regula¬ 
tion, demographic infoi mation and i uometnc information toi enrolment foi an aadhaar num¬ 
ber and the proces:es fx colleclior and verification thereof, collecmg demographic infor¬ 
mation and biometnc i nformation from any individual seeking an aadha* 1 r number in such 
manner as may be upcc fied by legislations appointing of one o r more enti ies to opeiate the 
Central Identities Data Renomoiy; generating it;d assigning aaohaar numbers to individu¬ 
als; perloiming autheniication of tiv dadh ia.* numbers; maintaining and Ujxiahng the infor¬ 
mation of individuals in the Central Identities Data Repository in such i iannei* may »ie 
specified by regulations; specify' lie usag* and applicability of the aadhaar number fot 
deliver)' of vorioui berefits and sci uccs a> may l}e provided by regulatio is specifying, by 
regulation, the terms axl conch hotr» f^r « .ipoinlmcnl of Registrars, enrolling agencies and 
service providers ?nd i woe a don ol appointments thereof; establishing, oj crating and main¬ 
taining of the Central dentities Dr.ia Repository, calling for information and records, con¬ 
ducting inspections, inquiries and ,unlit ol die operations for the purposes of the proposed 
legislation of the Ccnli ll Identities D da Repositoiy. Registrars, enrolling agencies and oilier 
agencKs appointed ui der this Ac speed) mg. by regulation, the coud Lions anti proce¬ 
dures for issu'inc; ot new nadbaai number to existing aadhaai numbei hcldei, 1e''y and 
collect the fees or autl orise the Registrars enrolling agencies or other sc rvice providers to 
collect such fees lot the set vices provided by them undei the proposed egislation in such 
manner as may be spe nfied by i epilations 


ft also empiwes the Aulhonty to enter into a Memorandum of Understanding or 
agreement, as the rase nay be, vriti t the Central Government or State Gov aliments or Union 
territories or other age icies tor the our pose of performing any of the functions in relation to 
collecting, storing, securing or pm* essinr of information oi perfowning < iMhenlicalion; and 
appoint by notification, <uch number of Registrars, engage and aulhoris i such agencies to 
collect stoic, secure, >mcess info nation ot do authuibnation oi perfou i such other func¬ 
tions in relation tberet), as may oe neces.vuy for the puqxiscs of the proposed legislation or 
to engage such oust Hants advisors and other persons as may be required Jor efficient 
dischaige of its functions under this Act on such allowances or remuneration and terms and 
conditions as may be specified b) regulations. 


Clause 24.—This clause nnkes provision for giants by the Central Government It 
provides that afte** du : appropriation made by Parliament by law the C ntral Government 
moy make grants of si ch sums of n ioney as il may think fit to Che Authoriiy for being utilised 
for the purposes of li e proposed legislation 

Clause 25.—This clause provides (or other fees and revenue. It provides that fees or 
revenue collected by he Authority shall be ciedited to the Consolidated Fund of India and 
entire amount so credited shall tot transit* ired to the Authority. 


Clause 2f5 Tl is clause ni.ues provision fot accounts and nuoil It provides that the 
Authority shall main! tin proper ir counts and other relevant records am ptepaie an annual 
statement of account, in such fmm as may be prescribed by the Central Government in 
consultation with the fomptrollei md Auditor-General of India 
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ft lurthei provider dial the accounts oi the Authority shall be audited annually by the 
Compuollei and Auditoi-Geueial of India at such intervals as may oe specified by him and 
any expenditure incurred in connection with Mich audit shall be payable by the Autho/itv to 
the Comptroller and A uditoi -General. 

it also provides that the accounts of the Authority, as emitted by the Comptroller and 
Auditor-General or any other person appointed by him in this behalf together with the audit 
report thereon shall be foi wauled annually to die Central Government h> ihe Authority and 
the Central Government shall cause the audit report to lx: laid, as soon as may be afrei u is 
icceivcd, before each House oi Pai iiament. 

Clause 2 7 .—Tliis clause piovides foi leturns and annua! icpou. etc. It provides that 
the Authority shall furnish to ihe Central Government at such tune and in such form and 
lTuinnei as may he pi escribed oi as die Ccriwl Government may duca such returns ami 
sl.itenvnls and pmticulais m regaiJ to a<r ir-auei mulei the jurisdiction cl die Authority. ,u 
the Ce'iual GouTtimcin may uom time to time lequuc 

It furlhci provides* that the Aruhonty shall pieparc, once m e\eiy year, and m such 
tbim and manner and at such time as may be prescribed, an annual repot t giving a description 
o! all the activities of the Authority tor the pievious Years, the annual accounts for the 
jnevious yeai, and tne ptogiJ'cin«es of work 'or coming veer. A copy oi >uch ie|joit shall be 
laid by the Central Government before each House of Parliament 

Clause 2K— Tins clause piovides foi flic Review Committee. It piovides that the 
Ceiiti.d (roveivmeut inav, by u'HUication, constitute tlie Identity Review Committee, consist • 
ing oi tluec mcinbcis (one oi whom shall be the chairpejson as such designated by Hu* 
Cenitat Government; who aie poisons oi eminence, ability, integrity and standing in public 
hie having knowledge and experience m the fields ot technology, law, administration and 
governance, social set vice, journalism, management oi soc L.d sciences, to dischaige func¬ 
tions sj>eci lied under sub-clause <1) of clause 29 in inspect of any mattei connected with Ilk 
usage o>' tiie aadhaar number 

b fujthei provides that die mcinbeis cl me Review Committee snail be appointed bv 
the Central Government on the icvornmcn cations of a committee consisting of the Prime 
Minister, who shall l>e the chat .prison of die committee; t!ie Lea da of Opposition m the Lok 
Suhhu: and a Union Cabinet Mimslci to be nominated by the Prime Minisiei 

It also piovides that the niemba ot die Review Committee shall not lx? a Meinbci of 
Parliament or Member of the Leg»slaniie of .mv State ot Union lemiory as the case may he 
oi a membei of any political patty. A member of the Rev iew Commit ice shall hold office foi 
a term of three years from the date or. which they enter upon office and shall not be eligible 
for le appointing a and may be i emoted by the Central Government on the gtounds specified 
under sub-clause (6j. 

Clause 29 —This clause makes provision lor Inactions ot the Review Committee. It 
piovides d\at ihz Review Committee shall asceuam the extent and pattern of usage of the 
aadhaai numbcis across die coimtis and prepare a tepoit annualI> in ielation to the extent 
and pattern of usage of the aadhaai numbcis along with its lecommendarions theieon and 
submit the same to the Cenunl Government. This clause luither empowers the Review Com¬ 
mittee to deleimmc the mannei ot piepatation of the report. It also piovides that a copy of the 
report along with the lecommendations of the Review Committee shall be laid by die Central 
Government, as soon as may he aftei u is received, befoie each House of Parliament. 

Clause 3(1.—This clause provides foi security and confidentiality of information. It , 
piovides that die Authonty shall cusuie the security and confidentiality of identity informa¬ 
tion and authentication iccords of individual* and take measures (including security safe¬ 
guards; to ensuie that tlte in foi mation in the jkis&smou or control of the Authority (includ¬ 
ing information stoied in the Ceniial Identities Data Repository; is secured ami protected 
*• 

nmunsi any lo^s or unauihonsed access or use or unauthorised disclosuie thereto. 
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It further provide* (hot nolwfthslsindm}'. anything contained in any t ther law for (lie 
time being in force end s ive as otherwise pt <n ided in the proposed legtslalit n. 'he Authority 
or any of its officer orctlKi employee or any agency who maintains the C enlral Identities 
Data Repository shall nH reveal an r infortnr.hon stored in ihe Central Mutinies Data Re¬ 
pository to any person tut an aadha ir numtiei holder may tequest tfie Authority to provide 
access to his identi’y iitlormalion in such mannei as may tie specified hy tegulations. 

Clause 31. —This clause inaki:.> provision iclating to alteration of de nographic infoi- 
mation or biometric ,nfr rotation. It piovides that in case any demographic 1 ifomwtion relat¬ 
ing (o an aadhaar n.’mbir lioldei is round incorrect ot it changes subseqm nlly, and in ease 
any biometric infonnali ?n of ttndha.ii munbe. holder is lost or changes subsequently for any 
reason, then the aadha ir number holdei .hall request the Authority to niter such demo¬ 
graphic information or bicinetnc ndonnation m his recoid m the Centi; I Identities Data 
Renosilon’ »n such ma: na as may U. specified by regulations 

i * 

K further ptr'idc thrl cn rece 'p! of any request for alteration of clemc graphic informa¬ 
tion or biometric uifonr ation, the Authority may. if it is satisfied, make such alteration as may 
be required in the nxoiri relating to ,uch aadhaar number holdei and mtinu tc such alteration 

to (iic coiKcmcd andbaK number bolder. 

Clause 32. — Thu clause niak s provision foi access to own information ancl records 
of requests for authentication. It ptwides that the Authority snail mairtan details of every 
request for authentication of the id-utiiy of eveiy aadhaar number holder and (he response 
provided thereon by i( n such manner and for such time as may be specified by regulations. 
It hit ther provides that ^vc.v aadh ar nuaibci holder «h all be entitled tc obtain details of 
request for autbenticat on of his rn-lhaar ru.nbei and the -espouse provided thereon by the 
Authority in such man ter as may be specified by regulations 

Clause 33.—This clause provides foi disclosuie of information in certain cases. It 
provides that piov.stoi s of sub-el; is2 0) ol clause ^0 which impose resti iclionson pre-id- 
ing information shall n >( apply in rr.peci of any disclosure of information > including identity 
information or details of authentic;! ion) made puisuanl lo an order Oi a o unpetent comt, oi 
any disclosure of infbimation (incl Jdmg identity information) made in l ie interests of na¬ 
tional security in jnirsuance of a di ‘eetion to (hat effect issued by <m officer or officers not 
|)clow the rank of Joint SccnMaty ot equivalent in the Cential Coven meut specifically 
authorised in this belu If by an ord r of the t.enlial Government. 


Clause 34.— Thisciause provides fo |>ciiolt3' foi impel sonalion at tu re of enrolment It 
provides that whoeve impersonates oi attempts to impersonate another person, whether 
deadoi alive, real or imaginary, by providuir any false demographic in fore intion or biometric 
infoimaticr shall be \ unisliablc «qth imprisonment for a tenn which may extend to tnree 
yews and with a line vluclt may <• tiend io ten ihousrnd rupees 

Clause 35.—This clause pmvides lot penalty for impersonation cf Aadhaar number 
holder by changing demographic \ liormauon or biometric informal ion. It provides that who¬ 
ever, with die intenlio i of causing uuni oi mischief lo a aadhaar number holder, or with the 
intention of appropri* ting the identity of a aadhaar number holdei changes oi attempts to 
change any deitiograj hie informal on oi biometric information of a aadl aar numbei holder 
by impersonating or attempting ir impersonate another pet son, dead or i live, real or imagi¬ 
nary, shall be puntsha >le with imprisonment for a tenn winch may extciv I to three years and 
shall be liable to a fine which ma j' extend lo len thousand rupees. 


Clause 3<i,—T1 is clause provides for penalty for impersonation. It provides that who¬ 
ever. not being auihoi ised to colled identity information under the provisions ol this Act, by 
words, conductor demeanour pil ends that he is authorised to do so. ihaJI be punishable 
with imprisonment to a tenn whrcf i may expend to three yeai* or wit h a fin : wliich may extend 
to len thousand rupee, or, in the ca„c of a company, with a fine which ma; • extend lo one lakh 
rupees or with both. 
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Clause 3/.—This clause piovides ioi penally £01 disclosing identity hilonnauon. ll 
provides that whoevei, intentionally uisw loses, Uansmtls. copies or otheiwise disseminates 
any identity information collected in the com >e <»1 enrolment oi authentication to any person 
not authorised under this Act shall he punishable with imprisonment for n term which may 
extend to thiee years or with a fine which may extend to ten thousand rupees or. in the case 
of a company, with a fine which may extend to one lakh rupees or with both. 


Clause 38.— This clause piovides ioi penally foi unauthorised access to the Cential 
Identities Oaui Repository U provides that whocvei, not being authorised by the Authority, 
intentionally, ist) accesses or scuii es access to the Central Identities Data Repository or 
(bl downloads, copies ot extracts any Jam uom (he Central Identities Data Repository; or 
sioted m any temovable medium* oi tc) lriiodtices oi causes to be introduced any vims or 
other computet contaminant; m ti c Cential Identities Data Repositoiy; or (d) damages oi 
causes to be damaged me data m the Cential Identities Data Repositoiy. 

dismpts oi zaires uisuipiion oi the arcev u, »he Cemutl Identities Darn Repository, a 
(n denies ot t auses a denial ot access to any' peison who is aulhot.sed to access the Centra: 
Identities 0.4a Repository, or tg) piovides .my assistance to any pers*on to do any of the 
acts a fenementioned, (hj destroys. deletes or altcis any information stored in any' immovable 
storage media oi in dteCe.in.il Idealities bata Repository or diminishes its value or utility oi 
eltccis it i.ijunousl) by «ny means, (j) steals, conceals desuoys or alters oi causes any 
pcisou to steal conceal, destroy or ahet any computet sour. c code used by the Authority 
wuh an intention >o cause damage, shad be punishable with iinpusomneni tor a teim which 
may extend to ihiee yeiu s and shall be liable to a tine which shall not be less than one uore 
inpees 


It tuiihei defines the c.xpiesMons conipmci contaminant’ compute! vnus” and 
‘damage’’ to have the some meanings toi the purposes ot this uausc as ate respectively 
assigned to them in die Explanation to section 43 of die Information Technology Act, 2000 


Clause 30 —This clause piovides for penalty toi tampering with data in Central iden¬ 
tities Data Repositoiy. It piovides that whoever, not being authorised by the Authority, uses 
oi t un;Vi’s widi die data in die Central Identities Data Repository oi in any temovable 
sha-age medium with the intent of modifying infonnation relating to aadhaar number holder 
oi discovering arty information thereoJ shall l>e punishable with imprisonment for a term 
which may extend to three ycais and shall be liable to a fine which may extend to ten 
thousand :ujv*es 


Clause 40.— This clause provides for penally toi manipulating biometric information 
It provides th<d whoevei gives oi attempts to give any biometric lnfarminion which does not 
pertain to him tot the pui pose of gelling an aadhaar numbei or muhemication oi updating his 
information, shall be punishable with imprisonment for a temi which may extend to tnree 
vea:s O’ wi r h a !me winch may extend to ten thousand rupees or with both 


Clause 41.— This clause piovides fot general penalty ll pio\ides that whoever, com¬ 
mits rm offence ander die pioposcd legislation for which no penalty is provided d&ewhcte 
than in tins clause, shall lie punishable with imprisonment lot a leim which may extend to 
tluee years oi with a line winch may extend to twenty-live thousand rupees or, in the case of 
a company, with aline winch may extend to one hikJi rupees oi with both. 


Clause 42.— This clause deals with Hie offences by companies. It provides that where 
an ioffence undei the proposed legislation Inis been committed l»> a company then ever> 
person who at the time when the alleged offence was committed was in charge of. and was 
responsible to, the company foi the conduct of the business of the company, as well as the 
company, shall be deemed to be guilty of the offence and shall he liable to be proceeded 
against and punished accotdingly. 


It lutihei piovides that if an) such person piovcs that the offence was committed 
without fus know ledge oi that he had exetciseJ -all due diligence to prevent the commission 
ol such offence, then he shall not be liable fot the said punishment. 
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Ii also provides mat where rny oil*nee under the proposed legislation has been 

consentw "w is aU 1 hu.’S>, e To.' ^ y° ne^ec ^ on th/parl of any director, 

m , nm . arv ( >rotlier officer ol the company, such director, manager.. -ueiarj 

ft*.*» I* p.'.lly >,«.«. be W* » be 

against and punished accordingly 

^ duct constituting 

toe offence or contention ,nvoi«. s the O ntral Identiues Data Repos,t, O’ 

Clause 44- [Km clause pro- .-to I a power to ir.vcM'gmc offeree-. It nov.des that 

notwithstanding an vtl«i« comamc.l .n the (. ode ol Criminal ^ proposed 

not below the rank of Inspector of ivtocc shall investigate any o. fence ur der the propc. 

legislation. 

Ctau'e 45 - Thi ■ clause reh.es to psnaUic:, no. to mtorferc with oil. t pumsnn.enls. lt 

(iott of R.ny tfh« .nnal y orpvmifh n-.iui.dii .myolher law Iw IN nine virgin 

Clause 46 — This clause pr. sides -or cognizance of otlences It iwovrcles that any 

court shall'no, take cognizance of .my ollence |Hiuishablc under ^ X " 

save on a complaint made by trie.. -dim d >• or any officer or r«M>n a Ml* -nsed > it 

It further nrovid. s lha. anv omet intrr-o. to that ol a Cnief Metiopo!.tan Magistrate or 
a Chief Judicial Maputo shall no, ,.v any ollence punishable unite, toe proposed legrsla- 

tiem. 

Clause 47 - Th s clause cm rowers the Central Government to stipe reede Authority. U 

provides that (lie C temi al Govemir nt may titer striisf y;ng ontoeground ^"^^cceding 
Sirs clause supers-*fc the Authority by issuing a nohftca ton .or such pc g 

six months and appou t a person r, persons as the Pros,dent may drrect to exererse powers 

and discharge fur.criots under tlu proposed legislation. 

Tt further provides that before issuing any such notificattoii. the Central Govern¬ 
ment shall give a reasonable op,x.ff unity to the Authority to make reprs — 
the proposed superse -sion and shall consider tire representation,, if an „ of Autho y. 

It also nro>”des that upon li .• publication of a notification superseding the Authority, 
fa) too Chair%nn ,nd other me „Ws Mull, as from the date ■ E 

offices us such, tb) alt the powers, functions anc. duties which n y. . 
orovistons of thi s Act, be exercis-dor discharged by or on behalt o. th. At. y ■ 

— 1hcAothori‘y i, „»».. 

refer red to in sub-da ise (1); am! CO all properties owned or 

shall, until the Minority ,s treonshluted under sub-section ,3). vest m the Centr 
C»ovcrnn>en(. 

it also provides dial tlte Cer it al Government shall reconstitute the Authority, before 
theexuiraiionof he i eiiod of sufasession, by a fresh appointment of its Chairperson and 
other mwnbers and i! such case 'rny person who had vacated his office due to supersess.on 
of lire Authority ihaU not be deemed to be disqualified for reappointmen . 

it also provides that the Carnal Government shall cause a copy of the notification aiid 
a full report of any -.Cion taken under Ibis clause and the c.rcumslan :es leadrng to such 
action to be lard oeforc each Hou. e ol Parliament at toe eailiest. 

Chuse 48 ~ 1 his clause provides that Members, officers, etc , tc be public servants. 

u a,Rin« j.. Mero.ois, o(r«« - ««» 1«* «“>' 
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shall be fleemeu. while aumj! 01 pmp.rtiinjf 10 aci in puiMunce .>i any ol ihc provisions o' 
the proposed ici-isliilion. ro be public Scu-anK u ulun me mean my of section 21 u t ihc India,, 
Penal Code. 

Clause «'■>.—This clause empowers ihc Central Government lo issue directions It 
provides that without prejudice to the foregoing provisions of the proposed legislation, the 
Am hoi Uy shall, in exercise ol its powcis ot the perfunnauce of its functions, be bound by 
suclt directions on questions of policy, other than those relating to technical and admimsua- 
tive matters, a< the Central Government may give, in writing to it, fiom time to time. 

If furdiei piovides (hut the Authority shall, as for as practicable. be given an oppoitu- 
mty toexpiess ns views be foie any dr tenon us given under this clause. It also provides tlui 
the decision of the Cent,a 1 Oovemmeut, whethei a question is one of policy or not shall be 
lam! 


Clause 5u— This clause movjdcs lo: delegation h pi\>\ide> rlu: the Authoi iiy mav. 
In gcnei al oi special Oidei m a riling, delegate to any Membei. olTicei ol the Authoi itv or anv 
oil lei person. s.tbiect to Mich condition^ it any as may be specified m the oulei. such ol its 
powers and functions tinder this Act (except the powei undei clause .53 iciaiing to making ol 
legukrtiom) as n may deem necessary. 




lause 51.— this clause pmvides loi pi ol ecu on ol action taken in good f:uth. h 
piovides that anv .suit, pioseccooti Oi other legal piocccdmg shall not he auamst the C.cnh al 
Ciovemmeiit Oi the Audiouiy cm die Cluiirpctson oi any Member oi any ofilcei, oi othei 
employees of die Authority fin anything vviucli is m good faith done ot intended to be done 
under the proposed legislation oi the mlcs oi icgtiiulions made thcieiridei 

Clause 5 1 — Tins clause empowers the Central Government to make i utes b provides 
that die Central Government may, by notification, make rules to cany out the provisions of 
the proposed legist anon It luithci specifier die matters in icspea oi which such rules mav 
be mack 

Clause 55.—This clause empo wcis die Authoniy to make leguiauons. it provides that 
the Authonty may by notification, make legiilauoin' foi i any mg out die p’ovisions oi die 
purposed legislation consistent with (he proposed legislation .uid the rules made theieun- 
ciei It fit id nr i S|»ccif»cs the matters m lespect < f which sucti regulations mav lie made. 

Clause 54 — This clause pio vines jot laying of rules and lcgtiiaiions bclore Pailia- 
ment. It piovides that every nile and every regulation made undei the pioposed legislation 
sliall (>e laid, as soon as may lie aitei it is made, befine each House of Parliament. 

Clause 55.— This clause piovides that (he provisions ot the pioposed legislation shall 
lie in addition r <>. and not in dciogati'm of, any otltci law foi the time being in force. 

Clause 56 —This clause makes jnovision for removal ot difficulties, li provides that •<* 
any difficulty aiises ui giving died to the pio visions of ihc pioposed legislation dien the 
Central Government may. by ordei, |Hihlt$hed m die Official Gazette, make such piovisions 
not inconsistent with uve pi o visions of the proposed legislation as may appear to be neces¬ 
sary for removing die difilculty. 

It furthei piovides that any such oidei foi temoval ol difficulty shall be made undei 
fins section within a period of two vcai s fiom die commencement oJ die pioposed legislation. 

It also piovides that cveiy oiJer made undei this clause shall he laid, as c oon as may 
lie ahet it is made, tocfoie each House of Pailiaineiu. 


Clause 57.— Tliis clause provides for savings. It provides that anything done or 
any action taken by the Central Government under the Resolution of the Government ol 
India, PlanningCominfisjon beanngnotification numbei A-430I I/O2/2009-Admin.I,dated 
the 2tUh faiutarv, 200V. shall be deemed to have been done or taken undei the correspond¬ 
ing ptoviMons ot the pioposed legislation 
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Clause 11 provide? tbi establishment oT the National Identification Authority oflndia 
which shall oc a body certiorate having perpetual succession and a conunoi seal with power 
lo acquiie. hold and dispose of properly and sue or be sued with the h<ad office in the 
National Capital Ration and may tMablish >(s offices at other places in .ndin Clause 12 
IKOvidcs that Autlu-rity shall consist of a Chairperson and two part-time Members. Sub- 
clause (5) of clause 14 makes provision fot salaries and allowances payable to the Chairpei- 
son and allowances or remuneration payable to part-time Members. Sub-cl. use (3) of clause 
20 makes provision for salaries an* allowances payable to the chief exec ilive officei and 
olhei officers and ether employee* i i the \i Ihonty 

2. Item <j) ol sub-clause (2) «d clause 23 piovides for establishment operation and 
mainten.uice ol the Central Identity .Pat a Repository 

3. Clause 24 provides that the C’entia Government may after due ap iropriotion made 
by Parliament by law in tlvs behalf, make to ihe Authority grants of such c ums of T.orey as 
the Central Govenimcrt may think fit lot being utilised for the purpose,* of the proposed 
legislation. 

4. Clause 25 of the Bill pros ices dial the fees or revenue collected by the Authority 
shall be credited to the Consolidated bund of India and the entire amount s * credited will be 
transferred to the Authority. 

5. It is estimated t tat there wo del be an exoendituie of approximately Rs 3023.01 crore 
in phase two of (hr scleme. Out o: this, a*i amount of Rs. 47T1 1 croie would lie towards 
recurring establishment expenditure and R*> 2,545 90ciore vvoutd be lowaids non-recurring 
project related expenditure. The . stinuleu cost for the first phase of T l*e scheme was 
Rs. 147.31 crore towai js the seUmj up urcussary infrastructure for offices at headquarters 
and regional headquarters, crcatin;. testing facilities for ninning the pt.ols and proof of 
concept studies, inkitul wotk of < ^eating .standards in various dj eos o operations, and 
setting up of a project management unit and hiring of consultants. 

6. The Bill Joes not envisag: any olhei expenditure of recurring or non-recutring 
nature. 
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MEMORANDUM REGARDING DELEGATED LEGISLATION 

Sitb-U.iuse { l) ot clause 52 oi the Hill empowers the Central Governmentlo make. b> 
notification, ml5% co cairv out the provisions o( the proposed legislation. Sub-clause (2> 
specifies the matters in respect of wlnVh *uch rules may be made. These matteis, hurt alia . 
include* (a) the bun and manna m which and the autlumty betoic whom the oath of office 
and ot seerec) •*> to he subscribed by the Chanpei, jn and Member* unde. sub-clause (2j ol 
clause {4: (b) the saJaiy .aid allow uiccs payable to. anu othei terms and condition* oi 
seivice ot. the Gfnitrperson and the allow ances oi lenumeiauon payable to Members oi the 
Authority undei sub-cLui\e < 5 1 of clause 14. «ci the other powers and Junctions of the 
C halt pet son ot the Auuioniv undei t-lausc* l?. idj the other powers and 
(unctions oi the Authci n) undei itenittj oi sutJ-elnusc ;2iol chaise23. f c'thr f'limolaniiual 
statement ot account* to be piepaied b\ Aulhonty undei sub-clause [ 1) oi clause 26; (Q die 
foim and the maimer in winch and the lime within wlucJi icluin* and statements aiul pai denials 
aie to be limns lied under sub-chiu.se {1} ot clause 27.' g; the uuai and ihc manner and the 
lime at winch the Aiuhoiii) shall kiumh annual icpoit undei sub- clause (2) of clause 27; 
fh) auv oihet nutter which is lequircd :o l>c. or nuy be. piescrilvd, oi in lesjiect of which 
p.inbiOM is to Ivf or may he m \de by inlcs 

2. Sub-i. Luisef I jo! iLut.se 53 of die Pill empowei. 3 e National Identification Authoniv 
of India to make, by nodJlcatum. icguL»iu*ms to cany out the piovisions of the pixi(x>sed 
ley, slat ion consistent wilb the provisions ol the proposed legislation and the rules' made 
fliereundcr. Sub-clause 12) specifies the mailers m icsped ol winch such regulations' may be 
made These matters, m. / alia, include (i) the biometric infci.nation undei sub-clause 
(c): the democrat Lie information undei sub-clause (h): the piocess ol collecting demographic 
information and biometuc infoimation irom tlie individuals b> enrolling agencies undei snb- 
clause (j) of clause 2; tu) (he maunei of furnishing *lie demographic mfoitiiatioii and biometric 
information by ibe lestdcnl undei sub-clause (11 ol clause 3; and the manner of verifying the 
demogiaph:c intormauon and bicmetiic informauon Rv issue ol aadhaar numbei undei sub- 
clau*e{2j of clause 3, (iti) the ptoceiUire Lot authentication of hie a. chiaar number undei sub- 
clause (J) of clause 5. (iv) die otlm functions u lie peilbimcd by General Identities Data 
Repository undo, clause 7; (v) H»e maimci of updating biometric information and demographic 
information undei clause S: (vi) die otliei categories of individuals under clause 10 for whom 
die Authority shall take sjiecial measures foi allotment of aadhaar number; (vii) the time and 
places of meetings ot the Authority and the piocedtire fot tiansaciion ol business to ue 
followed by it < including the quorum) undei sub-clause (1) ot clause 18; (viii) the salary and 
allowances payable to. and ochei ten ns and conditions ol set vice of, the chief executive 
officer, clT’Oers and otbei eni{)ioyees of tlie Authority undei sub-clause (3) of clause 20 
(\\) vanous maueis specified u»idei clause 23. (\) the manna ol accessing the identir> 
u'.lumttion by the aadhaar number hoida under sub-clau.se O) of clause 30; (xij the manna 
of alteration ot demogtaphic mfotmalion under sub-clause (1) and biometric information 
lUKkr sob-clause ;2) ot*clause 31; (xii) the mnruiei of and the time for maintaining the request 
lor authentication and die response theicon under sub-section (I) and the manner of 
obtaining, by the aadhaai number holdei, ihc lecords of request foi authentication and 
rcS|)Oiisc diet eon undei sub-clause (2) ol clause 32 (xiii) any othci matter which is lequiied to 
be. or may be, specified, oi in respect oi which provision is to be or may be made by 
l emulations 

3. Clause 54 pi ovules that e\erv uile and every regulation made under the ptoposed 
kgishttion shah be laid, a* soon as may be aitei it is made, befoic each House ol Parliament. 

4. The mattei s m respect of which rule* and regulations may be made aie matter ot 
procedure ot administrative detail and it is not piacticable topiovide for them in the Rill itself 
The delegation ol legist an \ e powei is theielorc ol a notmai charauei. 
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RAJYASABHA 


FULL 

to provide for (tie establishment of the National Identification Authority of india for the 
purpose of issuing identification iiumbeu to individuals residing in Inc la and to certain 
other classes of ;ndi\ iduah. and nuunei of authentication ot such mdivid jals to facilitate 
access to benefits ^nd services '3 such individuals »/liKh they are ertiUcd and foi 

m liter conn* vied therewith or incidental theiclo. 


f*S/in V. Nnra\ anasamy, tV'.niifcr of«State in (he Ministry of Planning and 

Pathanicntar ) Affairs) 
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A Unique Identity Bill 

USH \ RaMAHATHAN____—-— - 


India’s unique identification 
number project has been 
sold on the promise that it 
will make every citizen, the 
poor in particular, visible to 
the State. But the uid project 
raises crucial issues refitting 
to profiling, tracking and 
surveillance, and it may well 
facilitate a dramatic change 
in the relationship between 
the State and che people. The 
Unique Identification Authority 
of India has not acknowledged 
these concerns so far. And now, 
nowhere in the proposed draft 
bill that it has prepared have 
these issues been addressed nor 
have clauses been drafted to 
prevent ?buse of information that 
will be collected by the agency. 
With so many questions on the 
project - regarding biometrics, 
security and privacy - yet to be 
answered, it is far from time for 
parliamentary approval. As has 
been observed, the Constitution 
is expected to provide the citizen 
wich dignity and privacy; but 
these are missing in the 
uid project. 


Thanks fol’avKhra Ramcsh and Mui ah for 
n-s sounding bouids 

U<liaRaraanartuni(ui<ini«iiafhiin@iriK utg) is 

an independent law rcsonrchci who woiio on 
i lie jurisp udence of law. poveiiy and 


I n Febiuaty 2009, the unique identih- 
canon number (mo) project was set up 
within tne Planning Commission. 
Since August (July) 2009. when randan 
Nilekam was appointed a, its ch'iuper&on, 
the Unique klcnt’-ficatioii Authority oi 
India (uiom> has been propagating the 
idea or che uid which e icli lesulent m 
India Will lx' gi\c-t. 

The project pegs its legitimacy on what 

it will do lor 1 he poor. It promises tint it 

will give the poo: an identity, with which 

«-ht y may become visible to tlv* state. 1 he 

uio number is expected to plug leakages. 

including »n the Public Distribution 

Svstem (w>s), ease payments to be made 
* * 

nuclei the National Ktirai limyioymeiit 
Guarantee Scheme (.khegs), and enable 
achievement of targets in consonance 
with five right to education. Service deliv- 
cry is a central theme in its promotional 
literatuie. The taising of expectations is, 
however, tempered by a quick-caveat that 
the *‘uid number w’ll only guarantee idem 
dry, not rights, benefits, or entitlements" 
'Ihe * no database is intended to hold 
information including the name, address 
and biomeci ics oi die person. It lias been 
reiterated with remarkable regularity that 
the uioai will not be gathering mfcimaLion 
that could lead to profiling, so, religion, 
caste, language and income, for instance, 
will no: be brought cn to the uid database. 

The uiDAi has strained eveiy nerve tu 
explain that it will not be a database from 
which others may Jenve information 
about any person. The uidai will merely 
“authenticaie", i e, ir will give a "yes" or 
“no" answer when asked whether a rame, 
address and biometric indicator tally. I hat 
is, it will attest to the veracity of the iden¬ 
tity being asserted by a person by check¬ 
ing on its database. If rhe details rally, ir 

will s.iy no more. 

Thr opei at ion foi being invested wich 
an idenuLV goes through stages’ enrolling 
wich a enrollei/registrar who will sei 
down the basic biographic details such as 


name, address, father/guardian’s name 
(and uid number), mother’s name (and 
uiC/ number) and collect the biometrics - 
photographs, all 10 fingerprints and iris 
scan, de-duolicanon (which will be done 
by the uidai to make eeriain Lhat theic is 
one identity for one person), updating the 
database whenever any change occurs in 
relation to the information on the dam- 
base (foi instance, when there is a name 
ot address change, the responsibility foi 
which will rest with the individual) 

The uidai has said that getting an to the 
uid database is \olunt*u>. lhat is, ir r> 
clarified, there will be no compulsion 
from the uidai Uut, if othei agencies 
make the uid nurnoei essential m their 
transactions, chat is a d’fferenr matter. 

1 he uioai has been signing memoranda 01 
understanding two us) with a range ot 
agencies including banks, scare govern¬ 
ments and the Life Insurance Corporation 
of ii.du. 0 ic; to be “registrars", who then 
may insisc that their customers enrol on 
the cut) to receive continued service. 

Given the dramatic changes that die 
uid could "bring 10 the relationship be¬ 
tween the state and the people, it should 
cause concern that there has been so little 
public debati around f he uid. I here is an 
unquestioned benignness lhac is being 
atti ihuted to the project, which could be 
explained in part by the image of Nandan 
Nilekam, whose salience to che project 
could foster a sense that this is a projecc 
around technology, and not about iden¬ 
tity. The rhetoric lv* stayed focused on 
the poor, which has lent the project legiti¬ 
macy and there has been no discussion 
hom within the establishment on the 
possible downsides. 

One concern ihar has been raised con¬ 
sistently is on the question of privacy - 
that inclination held in a central reposi- 
lorv could result in breaches of privacy. 
The invasion of privacy that technology 
has facilitated and roucinised in recent 
years has eroded the relevance of tradi¬ 
tional notions of privacy. The experience 
with abandoning the idea of privacy is lel- 
a lively recent, and it will be a while before 
its value is reconstituted and the idea 1 es¬ 
timated. The introduction to the uid has 
been in terms of investing every resident 
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wall an identity, as a single stop for 
authenticating identity, as a de-duphca- 
tion exercise, for plugging leakages, as a 
Hacking device, and as a wage transfer- 
ringdevice 

There are, however, other concerns that 

havr bet*n voiced and Hiich remain unre- 

>uKcci Thc-v include die conLCXLS of con- 
0 

vcigeo-r, nadonai security, the national 
population register (hi erg, and the shaky 
edifice 01 biometrics on which this super¬ 
structure is being built. 

Convergence 

The i’ll) liierjcme does not use che woid, 
yel convergence is a predictable and inevi¬ 
table consequence ot the uid project. Con- 
"eigence is about combining information 
Tlieie me various pieces of information 
that we hand ovei to range of agencies 
when buying, say a railway ticket, main¬ 
taining d bank account, regiseexing m a 
university, getting woik at an Nitres 
woiksite, taking out an insurance policy 
buying a moroicvcie, paying telephone 
oills, clc. Currently, with only the name 
and a possibly correct address, i( will not 
be easy to profile a person or crack them. 
Tire information is held in what are called 
“silos", that is, discrete towers holding 
information that has been handed ovei by 
an individual in ielation to a defined pui- 
pose. If it were possible to create bridges 
to link r h p se sjIos, it would wrest control 
of infoimation on the individual and make 
it available, metaphorically and literally, 
at the tap of a computer key. 

There is a da tic joke making its rounds 
which would oe funny, but is not, and it 
runs like this 

Opeiacot. Thank you tot calling Pizza Plaza. 
May 1 have voui. 

Customei: May 1 place an oidci * 

Opeiator. Can I have your mukipuipose id 
caid number, sii? 

Customei * k is, hold on ... 213561020.19998- 

HS-5-tbio 

Opeiator: Welcome back fiom Japan, 
Mr Singh 

Customer. May l older your Seafood Pizza 
Opeiator: Thats nocn good idea, sit 
Customei: Why would you sa> that? 

Opei acor: According to your medical 1 ecords, 
sn, you have high blood pressuie and even 
higher cholesterol level. 

Customei. What 0 .. What do you lecom- 
nv*nd then? 

Opeiatoi: Try our Low Fat Pizza You'll like ir 
C ustomcr How would you know that 7 


Operator You boi 1 owed a book titled 
Popular Di&hes fiom the National Lihimy 
lasr week, sir 

Customei: Oh . Have thtee family <ize 
delivered. How much would ihaL cost? 
Opciatoi: That should be enough for your 
family of s, sir. Thai will be Its 500. 
Customer: Do you accept payment by credit 
card 0 

Operaioi * I'm afraid you have to pay us cash, 
su. Your ci edit card w over me limit and you 
owe yam bank Rs 23,000 since Ociobei Iasi 
yeai And chat’s not including the late pay¬ 
ment charges on voui housing loan 
Customer. I guess I have to am 10 the neigli- 
bouihood a rM and withdraw some caih 
helm - wiu guv an r «.*> 

Opciarot Oh, no. su Vuiu records show rh u 
youve reached louruailj 1mm on machine 
withdinwai too ay. 

Customei: Nevei mind just nd the pizzas, 
i'll have the cash '-cauv How long will dim 

Opeiaioi About 45 minutes, sir, but if you 
can’t waic you can always come and collect it 
in your Nano. Wul chei e be anything else, sn 7 
Customei. No Py the way. . make sure you 
send the 3 lac buttle, of cola as advertised 
Ope ratal But, s.t. ytmi health records ?aj 
you'io a diab<Hic. .. 

Customer: ~ '* s 

Opeiator Please watch your language, 
su. Remomboi or »*, July you wcie con¬ 
victed of us. no abusive language at n 
poluenian 0 

It was repaired last year that Apollo 
Hospitals had written to the uioai and to 
the Knowledge Commission to link uin 
numbeis with health profiles of individu¬ 
als and offered to manage the health 
records (Business Siandaid , 27 August 
2009 ) It has already embarked on a 
project ‘‘Health Superhighway*’ that re¬ 
portedly connects doctois, hospitals and 
pharmacies, who would be able to commu¬ 
nicate with each orhei and access health 
lecoids 'l'his, then, is no longei hypotheti¬ 
cal Tlie uid is poised to be the bridge be¬ 
tween silos of personal infoimation 
This convergence of information may be 
efficient foi business and meet standaids 
of efficiency, but there are those who 
would digue that it profiles individuals and 
exposes them to market and other forces in 
ways which arc intrusive, and which could 
make them insecure, and unsafe 

National Security 

Surveillance is a concern, and a term 
that is missing altogether in the uidai 
documents 


There are three indt&cives diac together, 
form a pattern that is disturbing The uid 
only produces a number which is a tag 
that is poised to be “universal” and “ubiq¬ 
uitous”, Its capacity to link disparate pieces 
of information is difficult to dispute. Place 
this in the context of the National 
Intelligence Gnd (natgrtd), ana the 
Home Minister P Chidambaram’s state¬ 
ment begins to sound ominous. “Under 
natgrid”. he is reported as having said, 
*‘21 sets of databases will be networked to 
achieve quick seamless and secure access 
to Jesiied infuimation for intelligence 
and enforcement agencies’* (The Hindu , 
14 February 2 oto) This ic ro enable them 
“to decoct pactems, trace sources for 
monies and support, track tiavellers, and 
identify chose who must be watened, tn- 
vestigaled, disabled and neutralised” Many 
of these intelligence agencies, including 
the Reseaich and Analysis Wing (raw) 
and the Intelligence Bureau (xb), are nei- 
thei creatures of the law, nor are they sub¬ 
ject to oversight And they are outside the 
Right to Infoimation Acl. Yice-Presiden' 
Hannd Ansari, quoting an intelligence 
expert, reportedly asked. “How shall a 
democracy ensure its seciec intelligence 
apparatus becomes neithei a vehicle for 
conspiracy nor a suppressor of traditional 
liberties of democratic self-government?” 
(Time.: of India, 20 January 2010 ). By all 
accounts, the question has not been 
ansiveied yet. 

In November 2009 , newspapers report¬ 
ed Cnidambaram’s statement that the gov¬ 
ernment would soon be setting up a on a 
data bank. Theie has been no word on the 
subject since, but on 12 Julv 2010 , the 
Indian Express carried news of an im¬ 
patient debate that has erupted about 
speeding up dn\ data banks lo hold dna 
data of convicts. This is just a stretch away 
from extending it 10 more classes of the 
population. 

The use of science and technology to 
practise the politics of suspicion is a possi¬ 
bility that is finding its way into becoming 
a fact 

National Population Register 

The Census has acquired a distuibing di¬ 
mension with the npr being appended to 
it The npr is nor an exercise undertaken 
under the Census Act, 1948 . It is being 
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c,n nod out under the Citizenship Act ol 
19S.S and die Citizenship (Reviseration uf 
Citizen** and Issue <h National Identity 
CauUj Rules 2003 W : h\ should chat mat¬ 
ter 1 Because Uiero is ait exptc-ss provision 
regard»ng ‘ronfideiitiality 1 ’ in rhe Census 
A<“t which is hoc ninety missing in the 
Citizen*.iup Act and Rules. But there is an 
exptess objeuwe ot making the informa¬ 
tion available to uie uioai, which umrk .1 
an important distinction between the cwo 
processes. Section 15 ol the Census Act 
categorically makes the information chat 
we give 10 die census agency “not open ro 
inspect ion 1101* ud miss (Me in evidence". 

‘i he Censtu Avc enables die .ol!ec:io*i of 
•n.'oimatiof. so the state has a pcollie of 
the impul.itiop, it is expiessh not ro pro¬ 
file the .ndividtial 


J' is the admiCiC-j position rhar die 
mfuununon gathered in rhe hcuWo- 
huusc survey, and the biometric., collected 
during die exeicise, will feed Into the uil> 
database The tun document says the 
irfoinuukm that die database will hold 
will only serve to identify if the poison is 
who ;he person says lie, or she, is. it will 
not hold am' personal details about any* 
l x'd\ VVluv die uocuir.cnc does not say is 
that ,h vill pic’ idr rhe biidga between 
tlic “silos” of data chut ate already in ex¬ 
istence, and which the nor will aUo bring 
nito Doing. So, wuh die uio as the key, the 
profile of any person resident in indui can 
he built up 

i*he Citizenship Rules 2003 strips Lite 
veneei of voluntariness from rhe utu Ir 
: lasses every individual and every * head 
0/ rV:mly'' an infounafK, who will be 
penalised il e^ery person in the household 
iis not in cite ni*k, 01 if die information 
is outdated. 

The npk is also slatted to collect biomet¬ 
rics - photographs, hngerplints, ids The 
coercion in the Citizenship Rules is not the 
only aspect which is worrying. The rules 
also envisage an exercise m sifting the 
citizen from the resident. *ftie person col¬ 
lect mg die infoi mat ion is expected to ex¬ 
ercise judgment in deciding wheihoi the 
peiMin whose details aie being taken 
down may not be a citizen. 11 there is any 
doubt, such petson will be caiegoiised to 
be subject to further investigation The 
Hint, like the Census, is can icd our by lay- 
people, and the uwtained mind is asked 






10 discern .and judge iimilcis that could 

lead ro inclusion, 01 statelessness 

/U the uni end ol June zoio, ihc ujoai 

web site uploaded a piopnscd draft bill": 

lHc National ldc-mifjcation Authority ol 

India Bill, 2010 Comment were asked 10 

be sent within two weeks, by 14 July 2010 

Various individuals and groups have sent 

in then comments, Liu nave ask 2d that the 

lime lo tespond bo extended so that they 

n.ar discuss it and uncleirrand it inoie fullv 
• ✓ 

before taking thwit position on tlic Bdl. 

One ol the p.nvisinns that has raised 
concern is clause 3 y which leads* 

,i > Necking aj.u lined in r lx t ub-sotn.u ( ;) 
ot section $c shall ,tp.j|) m jespea of- 
G1.1 run disciosme o< informal ion (mcladiug 
idenricy miotmanon 01 details uf authenti¬ 
cation) made puisuam to an onici ol a tom- 
p feru comi, 01 

(b> :111V disclo^uc of mfoimnfion (including 
identity .n formation) made n uiteresis 
o! n.Uionj* security in puisunnie ol a dttec- 
uon ro that eftet c liMiul In an cUkvi not b>. - 
low the icinK ol Joint Scuetat \ oi equivalent 
in the bmn.i! Uvr.nma'.t afo'i obtain*/'» 
appioval of the Mmisna m chaige. 

Aid jo* mb some cormnenrators on the 
uit> project (and that includes me) have 
written about mrvei Ranee ticking, pro¬ 
filing ami social and executive conciol of 
die pcHiplc* by the state and its agents, the 
enu/u has nor acknowledged these con¬ 
cerns so far. This is despite die “Awareness 
anti Communication Report” which the 


ujdai commissioned and which advised 
the authority on how Lo anticipate and 
sidestep the unease dial people rnuy have, 
regisrenngthar. 

rhe ic.ea of giving our information and affix¬ 
ing one’s thumbpi im 10 a document without 
fully unci'-rsranchny irs implications, com¬ 
pounded wuh me saci nui roo many non 
slate players arc visibly involved could pose 
:i hamcr ro emolmenc as well The feai or 
individuals being m the government's rada: 
and the ability of vaiiotis gioups to play on 
Lins fear is another likeiv challenge 

Neither the Bill noi any detument pro- 
clucerl m the piocess has, however, nd- 
di essed any of these concerns. What is re¬ 
flected m the document is only rhe need ro 
onsu'-e that 'hose anxieties do noL cone hi 
the wav of completing the exercise. 

Such a major shilL in public policy surety 
can no: occur with our a discussion preced¬ 
ing it, a dehbeiarion on rhe import, and 
consequences, of such a change, a,td a 
lessoned decision u»kei; on the matrei 
The constitutionality of such a move is 
ques' 1 enable. /unong rhe issues that aie 
likely 10 uiise, there aie tv\ r o that Justice 
Kajendia Babu laised in the presence of 
Nanden Nilekani and his team at a consul- 
Lui.io.1 held m Inc Nation^ Law 3 c ho ok 
Bangulote on 23 Novembet 2<x^: the 
Consutuiion guarantees us dignity and 
p'lvacy, he said. Both seexii to have been 
given a miss in the way Lhe urn project l;as 
been conceived. 
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Die combination ot uid, natcrid and 
che c merging idea of ihe on a bank, makes 
state control of a population a very real 
possibility To treat every person as a sus¬ 
pect, and to create systems that would 
*npporr sikh a practice, is a highly ques¬ 
tionable act of a stare. That the State and 
ics agents Iktve raced the charge of being 
communal and of having bren involved 
in torture, fake encounters, forced dis- 
appeaiitnce$ anu complicity in crime adds 
to i lie amalgam ot concerns. The Bill does 
nor acknowledge it, but those within che 
system cannot be piosecuted without 
s.uuLioti o! die poweiS-thaL-bc it seems 
Lke a piescppuou Jot impunity where the 
pioiocol for protecting the data is 
breached item within the state apparatus. 

Discussions around the B'll will have to 
deal with the issues tin own up by the in- 
Deduction of the eminent of ‘‘national se¬ 
curity especially as ii is Iceuced within a 
web of uid, natcrid and a dm a data bank. 

Biometrics 

The most disturbing aspect of the uid 
project u the linking of identity, and 
nghrs, entitlements, cirue ns hip and rec¬ 
ognition. to l)iometrics The uid project 
has sertled on three metrics: facial recog¬ 
nition through the photograph, finger¬ 
prints (all eight fingers anti two thumbs), 
and the n is. The ui dA t documeats reveal a 
state of ignorance, and unpieparedness, 
that is inexplicable. Quotes will set ir out 
mosL clearly: 

In the uiDAi’s “Notice Inviting Applica¬ 
tion for I !<riu< Biometrics Consultant”, fci 
a period of six months starring March 
20 io, it was written: 

While nist (the United States agency) doet- 
nienis the fact that die accuracy of biomet tic 
matching is extremely dependent on demo* 
graphics and environmental conditions, there 
is a lack of a sound study that documents the 
accuracy achievable on Indian demographics 
(iv, larger peiceiuage of rural populauon) 
and in Indian environmental conditions (i e, 
exueiuely hot and humid climate and facili¬ 
ties without ail-conditioning)... The ‘quality’ 
assessments of fingerprint data is not suf¬ 
ficient to fully understand the achievable 
de-iiiipheauon accuracy. *lhe next step is ro 
acqune biomemcs dau lrom (he Indian iuial 
conditions in two sessions (with a time d if let * 
cnee) and assess the matchabilicy .. 

That is, the capacity to captuie biomet- 
tics with any accuracy has not even been 


tested yet, and the project already has 
Rs 7 < toie committed to it foi just this 
year, and tire whole apparatus through 
the npr moving rot ir. This demands 
an explanation. 

In a uyptic note, the Notice reads: “The 
biometric evaluations aie statistical The 
statistical significance of the results aic 
requited to De analysed foi rhe uioai.” 

Thai is, the margin of error is not 
yet knew ii. 

In ‘Ensurmg Uniqueness* Collecting 
Iris Biomemcs lor rhe Unique m Mission", 
the lepoit tereis to the Biometrics Com¬ 
mittee :.ei up undei die lida; which had. 
in Jcinuai v ioiu been non-committal 
about tlie use of the thud biometric, since 
“ .in tlv absence of empirical Indian data, 
a is not possible for the committee to pre¬ 
cisely predict the improvement in the ac¬ 
curacy oi de-duplication to the fusion of 
fingerprint and iris score*.’’ The docu¬ 
ment acknowledges “technology risks”, 
including the inability to guarantee bio¬ 
metrics of ‘high quality across i:s thou¬ 
sands of enrolment pomes’* This capture 
would help in emoime.it, bur not in au¬ 
thentication since the equipment wiJ! no r 
be available In most places. The compro 
nuse “for authentication, rhe use of fin¬ 
gerprinting will be sufficient”. This could 
spell trouble foi calloused hands and 
marred fingerprints - which would m 
dude those doing manual iaboui and ag¬ 
ricultural operations, whose fingerprint' 
cannot be authenticated. 

On 17 July 2 oio, the Economic Times 
reported chat “people with ‘low-auahty’ 
fingerprints and corneal/cataract prob¬ 
lems” could “pose difficulties” for the 
piojecc. “Millions of Indians working in 
agncultuie, construction workers and 
other manual labourers have worn-out 
fingers due ro a lifetime of hard labour* 
resulting in low-quality” fingerprints. 
'The iris scan cannot be done on people 
with corneal blindness or corneal scars. A 
study done in 2005 at the All India Insti¬ 
tute of Medical Sciences estimated six to 
eight million people in India had corneal 
blindness, and many more people would 
have corneal scars. A Hyderabad br-seo 
eye institute identified cataiact, which 
results fiorn nutritional deficiency and 
prolonged exposure to sunlight and ultra¬ 
violet rays, and cataract surgery, as 


almost certain to affect che ins. This is 
about the people that the uidai projects 
as its main targets. A scientist with the 
Council of Scientific and industrial 
Research is cited as suggesting chac “thev 
could use dma fingerprinting in such 
cases”. Apart from the reduction of a 
people co a subject-population, these sug¬ 
gestions are inexcusably casual ?bout 
using techniques that will be of no help to 
the person so identified. 

The draft Bill does not deal with any of 
these concerns. In clause 3 ( 1 ), it dedaies 
that “every residenr shall he entitled to 
obtain’ a uin r.umbci, but nowhere in the 
Bill is rhere a clause that no agency may 
refuse services co a person because they do 
not nave such a nnmbei, thus leaving the 
field open for compulsion. Nowhere in the 
Bill is them an acknowledgement of the 
extraordinary powers of suiveillar.ee, and 
invasion of privacy by government and pri¬ 
vate agencies that the uid will be facilitat¬ 
ing, so there are i.c limits sol on the uses of 
the number and of ilie networks of informa¬ 
tion il could be used to generate. So convei- 
gence is facilitated, and the person has no 
control over it, nor is ^ a wrong in law 
For chose whg are willing co place their 
faith in the uid clause 12 may cause them 
lo pause. It reads: “The Authority shall 
consist of a Chairperson and two part- 
time members to be appointed by the 
Central Government”, and they may be re¬ 
appointed, 01 ejected, by the central gov¬ 
ernment. There are skeLchy offences of 
“intentionally” accessing rhe uid database 
and damaging, stealing, altering informa¬ 
tion or disrupting the data. But it provides 
no means by which a person whose data is 
stored to know that such an offence has 
been committed; and it does not allow 
prosecution to be launched except on a 
complaint made by the authority or some¬ 
one authorised by it. Experience has re¬ 
vealed the failure of regulation; yet it is on 
regulation by the authority that a whole 
population is asked to place its trust. There 
is no grievance redressed mechanism man¬ 
dated by law; it may be set up by regulation 
or it may not There is a clause in passing 
that tccognises that the data could reach 
people beyond the borders; but no idea at 
all on how to dual with iliac situation. 

The demographic information gath¬ 
ered may not be elaborate at the start. 
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*7xit clause 23 (b) leaves an opening for 
expanding the demographic and bio¬ 
metric data chat may be collected. Most 
damning is the passing reference in 
the general “powers' and functions 
of authority” co the use of the uid 
mini be 1 “for delivery of various oeneiirs 
and services as may be provided by 
regulation”. That is ail there is to indicate 
that service delivery 10 the poor is Lhe 
object c. f this exercise. The issues on 
which the uid project is piggyback 
riding for ks legitimacy aie too serious to 
Or cuvialised 



1 


The mous the uidai has entered into 
with “registrars” that include banks, state 
governments and the uc have been signed 
with no statutory backing anti no legal 
powet 10 collect, hold and transmit infor¬ 
mation from and about people. Biometrics 
has not even been tested, despite Indian 
demographic and environmental condi¬ 
tions being Aiiown to make n significant 
difference to the quality of biometric cap¬ 
ture. In a May 2010 paper prepared for the 
uidai - “A uid Numbering Scheme” - is 
written: “We expect the iru> system to live 
on for centuries”. This, then, .s a tagging 


device that is expected to last well beyond 
a person’s lifetime. 

The non-seriousness of the Bill, and the 
refusal ro confront the hard issues, are a 
slight to democracy which must be reme¬ 
died before the project progresses to cre¬ 
ate a fait accompli. Theie are murmurs 
chat the Bill L co be introduced in the 
monsoon session of Parliament. It would 
be trite to say chat, when biometrc accu¬ 
se/ is Mill in question, and so many ques¬ 
tions remain unanswered, it is nowhere 
near time for parliamentary considera¬ 
tion, or approval. 
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INTRODUCTION 

I, the Chairman of the Standing Committee on Finance, having been 
authorized by the Committee, present this Forty-Second Report on “The 
National Identification Authority of India Bill, 2010". 

2. The National Identification Authority of India Bill, 2010 introduced in 
Rajya Sabha ori 3 Decemoer. 2010 was referred to the Committee on 10 
December, 2010 for examination and report thereon, by the Speaker, Lok 

Sabha under Rule 33IE of the Rules of Procedure and Conduct of Business in 
i.ok Sabha 
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o The Committee obtained background note, detailed note and written 

information on various provisions contained in the aforesaid Bill from the 
Ministry of Planning 

c 

4. Written suggestions / views / memoranda on the provisens of the Bill 
were received from various institutions / experts / individuals. 

5. The Committee took briefing / oral evidence of the representatives of the 
Ministry of Planning and the Unique Identification Authority of India (UIDAI) at 
their sitting held on 11 February, 2011. 

6. At the sitting held on 29 June, 2011, the Committee heard the views of 
the representatives of (i) the National Human Rights Commission (NHRC), and 
(it) the Indian Banks Association (I3A), and Dr. Reetika Khera, Visitor, Delhi 
School of Economics, New Delhi. The Committee also heard the views of the 
representatives of the Confederation o f Indian Industry (Cll), and experts 
namely, Dr. Usha Ramanathan, Independent Law Researcher, New Delhi, Dr. 

V R. Ramakumar, Associate Professor, the Tata Institute of Social Sciences, 

Mumbai and Sbri Gopal Krishna, Member, Citizen Forum for Liberties, New 
Delhi at the sitting held on 29 July, 2011. 

7. The Committee, at their sitting held on 8 December, 2011 considered 
and adopted this Report. 
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8. The Committee wi;h to express their thanks to the officials of the Ministry 
of Planning and the Unique Identification Authorily o India (UIDAI) for 
furnishing the requisite material and information whicn were desired in 
connection with the examination of ihe Bill. The Committee would also thank 
all the institutions and experts fcr their valuable suggestions on the Bill. 

9 For facil'ty of eferenci!, the observations/recorr mendations of the 
Committee have been printed in thick type in the body of the Report. 


New Delhi; YA3HWANT SINHA, 

9 December. 291 1 Chairman, 

20 Aghrayana, 1933(3 aka) Standing Committee on Finance 



REPORT 


PART -1 

A. Introduction 

1. With a view to ensure that the benefits of centrally sponsored schemes 
reaches to right person and not misused, the Central Government had decided 
to issue unique identification numbers to ail residents in India and to certain 
other persons. T he scneme of unique identification 'nvolves collection of 
demographic and biometric information from individuals for the purpose of 
issuing of unique identification numbers to such individuals. The Central 
Government, for the ourpose of issuing unique identification numbers, 
constituted the Unique identification Authority of India (UiDAi) on 28 th January, 
2009, being executive in nature, which is at present functioning unaer the 
Planning Commission 

2. It has been observed and assessed by the Government that the issue of 
unique identification numbers may involve certain issues, such as (a) security 
and confidentiality of information, imposition of obligation of disclosure of 
information so collected in certain cases, (b) impersonation by certain 
individuals at the time of enrolment for issue of unique identificatioh numbers, 
(c) unauthorised access to the Central Identities Data Repository (CIDR), <d) 
manipulation of biometric infoimation, (e) investigation of certain acts 
constituting offence, and (f) unauthorised disclosure cf the information collected 
for the purpose of issue of unique identification numbers, which should be 
addressed by law and attract penalties. 

3 In view of the icregoing paragmoh, the Government has felt it necessary 
to make the said Authority as a statutory authority for carrying out the functions 
of issuing unique identification numbers to the residents in India and to certain 
other persons in an effective manner. It is, therefore, proposed to enact the 
National Identification Authority of India Bill, 2010 to provide for the 
establishment of the National Identification Authority of India (NIDAI) for the 
purpose of issuing identification numbers (which has been referred to as 
aadhaar number) to individuals residing in India and to certain other classes of 
individuals and manner of authentication of such individuals to facilitate access 
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to benefits and sendees to which they are entitled and fo matters connected 
therewith or incidental thereto. 


B. Objectives and Salient f eatures of the Bill 

4. The National Identification Authority of India Bill, 2010, introduced in 
Rajya Sabha on 3 rd December, /'010, inter alia, seeks lo provide— 


(a) for issue of aadhaar numbers to every resident by the Authority on 
piovioing his demographic and biometric information to it in such manner 
as may be spsci ied by regulations; 


(b) for authentication of the aadhaar number of on aadhaar number 
holder in relation to his demographic and biometric information subject to 
such conditions and on payment of such fees as may be specified by 
regulations; 


(c) for estab'isr merit of the National Identification Authority of India 
consisting of u Chairperson and two part-time Members; 

(d) that the Authority to exercise powers and d'seherge functions which, 
inter a//a,inc!i de — 

(/) specifying the demographic and biometric information for 
enrolmen fpr an aadhaar number and the processes for collection 
arid verification thereof, 

(w) collec.mg dernograomc and biometric information from any 
individual seeking an aadhaar number in sue i manner 3 S may bo 
specified by regulations; 

(Hi) maint aining and updating the information of individuals in the 
CIDR in such manner as may be specified by regulations; 

<iv) specify the usage and applicability o f ihe aadhaar number for 
delivery cf various benefits and services as may be provided by 
regulators; 

(e) that the Authority shall not require any individual to give information 

pertaining to his race, re igion, caste, tube, ethnicity, language, income 
or health; 


(f) that the Authority may engage one or more entities to establish and 
maintain the C DR anc to perform any other fi notions as may be 
specified by regulations; 

(g) for constitution of the identity Review Committee consisting of three 
members (one cf whom shall be the chairperson) tc ascertain the extent 
and pattern of usage of the aadhaar numbers across the country and 
prepare a report annually in relation to the extent and pattern of usage 
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of the aadhaar numbers along with its recommendations thereon and 
submit the same to the Central Government; 

(h) that the Authority shall take measures (including security safeguards) 
to ensure that the information in the possession or control of the 
Authority (including information stored in the CIDR) is secured and 
protected against any loss or unauthorized access or use or 
unauthorized disclosure thereof; and 

(/) for offences and penalties for contiavention of the provisions of the 
proposed legislation. 

C. Evolution of the UIDAI 

5. The concept of a Unique Identification (UID) scheme was first discussed 
and worked upon since 2006 when administrative approval for the scheme 
"Unique ID for BPL families' was given on 3 rd March, 2CC6 by the Department 
of Information Technology, Ministry of Communications and Information 
Technology. 

6 Subsequently, a Processes Committee was set up on 3 rd July, 20CS to 
suggest processes for updation, modification, addition and deletion of data 
fields from the core database to be created under the said project. The 

9 

Committee appreciated the need of a UID Authority to be created by an 
executive order under the aegis of the Planning Commission to ensure a pan- 
departmental and neutral identity for the Authority. 

7. Thereafter, since the Registrar General of India was engaged in the 
creation of the National Population Register (NPR) and issuance of Multi¬ 
purpose National Identity Cards to citizens of India, it was decided with the 
approval of the Prime Minister, to constitute an Empowered Group of Ministers 
(EGoM) to collate the two schemes - the NPR under the Citizenship Act, 1955 
and the UID scheme. The EGoM was also empowered to look into the 
methodology and specific milestones for early and effective completion of the 
scheme and take a final view on these. The EGoM was constituted on 4 th 
December, 2006 and a series of meetings took place as foilows:- 
a) First meeting of EGoM: 22 nd November, 2007 : 

* Recognized the need for creating an identity related resident 
database regardless of whether the database is created based on a 
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de-novo collection of individual data or is basec on already existing 
data such as the votei list. 

• Need to Cer tify and establish institutional mechanism that will own 
the database and be responsible for its maintenance. 

t 

b) Second meeting 3f EGoM. 28 ,h January, 2008 

» The proposal to establish UID Authority r rider the Planning 
Commission was appioveo. 

c) Third meeting of EGoM: 7 >h August, 2008 

• Referred celain maiters raised with relation to the UIDA! to a 
Committee o' Secretaries for examination 

<j) Fourth meeting of EGoM: 4 ,h November, 2006 

<• It was decided to not ry UIDAi as an executive authority. Decision on 
investing it with statutory authority would be taken up later. 

» UIDAI would be anchored in the Pianning Commission for five years 
after which a view would be taken as to where the UIDAI would be 
located wthin Government 

8. The UIDAI was constituted on 28 th January, 2009 under the 
Chairmanship of Shn Nandan fv NHekani as an attached office under the aegis 
cf the Planning Conm.ssion. me UIDA! was inier-a ! la given the responsibility 
to lay down plan and policies l:> implement the UID scheme, own and operate 
the UID dataoase end be responsible! for its updation and maintenance on an 
ongoing basis. The Prime Minister's Council of U'DAI and a Cabinet 
Committee on UIDAI (called CC-UIDAI) were set up on 30'° July, 2009 and 22 nd 
October, 2009 respectively for achieving the objectives of the Authority. 

9. Asked why the matter of conferring statutory status to the UIDA! was 
deferred, the Ministry of Planning have submitted their written response as 
under:- 






"Based on the proposal that formation of the UIDAI under the Planning 
Commission would ensure better coordinaiion with different 
departments, it was decided that initially the UIDAI may be notified as an 
executive authority under the Planning Commission and the issue of 
investing the Ul DAI with statutory authority and the reconciliation of such 
statutory role with National Registration Authcrity (NRA) can be 
considered at an appropriate lime”. 
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10. Justifying the extension of the UID scheme, whicn is initially intended for 
BPL families, to all residents and ether categories of individuals, the Ministry of 
Planning in their written response have submitted as unden- 

The UID scheme was extended to all residents and other categories of 
individuals to gradually do away the de novo exercises each time for 
field level data collection. Simultaneously, it would also ensure that links 
to more and more identity based databases are created by inclusion of 
the UID number in their databases". 

11. In this regard. Dr. R. Ramakumar, Expert, in his post-evidence re^piy has, 
among other things, added as follows:- 

. ...it has been proven again and again that in the Indian environment 
the failure to enroll with fingerprints is as high as 15% due to the 
prevalence of a huge population dependent on manual iabour. These 
are essentially the poor and marginalised sections of the society. So. 
while the poor do indeed need identity proofs, aadhaar is not the right 
way to do that... ” 

12. The Ministry in their written reply have stated, among otner things, that 

“While there may be a number of factors contributing to the failure to 
enroll (like geography, age groups, occupasion etc) and the figures 

quoted. may not hold good in all situations, failure to enroll is a 

reality ... For enrolment purpose, UlOAl has already bum in processes to 
handle biometric exceptions.” 

D. Issuance of aadhaar numbers pending passing the Bill by 
Parliament 

13. Justice Dr. M. Rama Jois, MP (Rajya Sabha) in his representation 
addressed to the Chairman, Standing Committee on Finance has inter-alia 
pointed out since the NIDAI Bill is pending for consideration before the 
Standing Committee on Finance, implementation of the previsions of the Bill, 
issue of aadhaar numbers and incurring expenditure from the exchequer by the 
Government is a clear circumvention of Parliament, and therefore, should be 
kept in abeyance awaiting debate in and decision of both Houses of Parliament. 

14 On being asked about the legal basis under which the UIDAI is 
functioning at present, and the mechanism that the UIDAI has adopted, since 
its inception, to deal with any of the issues like security and confidentiality of 





information and other offences related to issue of the aadhaaf numbers, the 

Ministry of Planning in a written leply nave inter-alia stated ihat:- 

"....The matter a :>out commencement of operation o.' the UIDAI before a 
legal framework was put in place was referred to the Ministry of Law & 
Justice wherein opinion was sought on the issue whether in absence of 
a specific enabling law, would there be any constraints in collecting the 
data (including biometrics) arid in issuing the UID numbers to residents 
in accordance with the mandate given to the Authoity. The Ministry of 
Law & Justice, after examining the matter, had m mtioned that it is a 
settled position that powers of the Executive are coextensive with the 
legislative powe - of the Government and that the Government is not 
debarred from e (erasing its executive power in the areas wh ! ch are not 
regulated by specific legislation It had aiso been ocmed that till the time 
such legislation is framed the Authority can continue to function under 
the executive order issued by the Government and the scheme that may 
be prepared by the UIDAI. It was aiso opinea that the Authority can 
collect information/data lor implementation of the UID scheme. Such 
implementation can be clone by giving wide publicity to the scheme and 
persuading the agencies/individual to part with necessary information 

The UIDAI has not fared issues such as bresch of security and 
confidentiality manipulation of biometrics, unauthorized access to the 

CIDR or other related offences since us inception.till the time 

Parliament passes the Bill, these matters will be covered by the relevant 
laws”. 

* 

15. The opinion of ;he Attorney-General of India on the above mentioned 
issues as obtained the Ministry of Law & Justice (Department of Legal 
Affairs) is furnished oebw - 

"The competent of the Executive is not limited to take steps to 
implement the law proposed io be passed by Parliament. Executive 
Power operates indeperdently The Executive is not implementing the 
provisions of the Bill. The Authority presently functioning under the 
Executive Notification dated January, 2009 is doing so under valid 
authority ane theie is nothing in law or otherwise which prevents the 
Authority from ft ncfionirn, under Ihe Executive Authorisation. 

The power of Executive is clear, and there is no question of 
circumventing Parliament or she Executive becoming a substitute of 
Parliament. On the conlrary, what is sought to be done is to achieve a 
seamless transition of the authority from an Executive Authority into a 
statutory authority. 

All the expenditjre which is being incurred is sanctioned by Parliament 
in accordance with the financial procedure set forth in the Constitution. If 
the Bill is nof psssed by -my leason and if Parliament is of the view that 
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10. Justifying the extension of the UID scheme, which <s initially intended for 
BPL families, to all residents and other categories of individuals, the Ministry of 
Planning in their written response have submitted as under- 



The UID scheme was extended to all residents and other categories of 
individuals to gradually do away the de novo exercises each time for 
field level data collection. Simultaneously, it would also ensure that links 
to more and more identity based databases are created by inclusion of 
the UID number in their databases". 


11. In this regard Dr. R Ramakumar, Expert, in his post-evidence reply has, 
among other things, added as follows:- 

it has been proven again and again that in the Indian environment, 
the failure to enroll with fingerprints is as high as 15% due to the 
prevalence of a huge population dependent on manual labour. These 
are essentially the poor and marginalised sections of the society. So, 
while the poor do indeed need identity proofs, aadhaar is not the right 
way to do that... ” 

12. The Ministry in their written reply have stated, among other things, that 

“While there may be a number of faciois contributing to tne failure to 
enroll (like geography, age groups, occupasion etc.) and the figures 
quoted .... may net hold good in all situations, failure to enroll is a 
reality For enrolment purpose, UIDAI has already built in processes to 
handle biometric exceptions." 

D. Issuance of aadhaar numbers pending passing the E3ill by 
Parliament 


13. Justice Dr. M. Rama Jois, MP (Rajya Sabha) in his representation 
addressed to the Chairman. Standing Committee on Finance has inter-alia 
pointed out since the NIDAI Bill is pending for consideration before the 
Standing Committee on Finance, implementation of the provisions of the Bill, 
issue of aadhaar numbers and incurring expendituie from the exchequer by the 
Government is a clear circumvention of Parliament, and therefore, should be 
kept in abeyance awaiting debate in and decision of both Houses of Parliament. 


14. On being asked about the legal basis under which the UIDAI is 
functioning at present, and the mechanism that the UIDAI has adopted, since 
its inception, to deal with any of the issues like security and confidentiality of 
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information and other offences related to issue of the aadhaar numbers, the 

Ministry of Planning in a written reply have mter-alia stated ihatt- 

"....The matter a joiit commencement of operation o.' the UiDAI before a 
legal framework was put in place was referred to tl*e Ministry of Law & 
Justice wherein opinion v-as sought on the issue whether in absence of 
a specific enabling law, would there be any constraints in collecting the 
data (including biometrics) and in issuing the U1D numbers to residents 
in accordance with the mandate given to the Authcity. The Ministry of 
Law A Justice, .after examining the matter, had m antioned that it is a 
settled position ihat powers of the Executive are coextensive with the 
legislative powe - of the Government and that the Government is not 
debarred from e (erasing its executive power in ihe areas which are not 
regulated by specific legislation It nad also teen opined ihat tiil the time 
such legislation is fiamed the Authority can continue to function under 
the executive order issued by the Government and the scheme that may 
be prepared by the UIDAI. It was also opined that the Authority can 
collect information/data io r imoiementation of the UlD scheme. Such 
implementation can be done by giving wide publicity to the scheme and 
persuading the agencies/individual to part with necessary information. 

The UIDAI has not faced issues such as breech of security and 
confidentiality, manipulation .of biometrics, unauthorized access to the 
CIDR or other related offences since its inception.. ..till the time 
Parliament passes the Bill, these matters will be covered by the relevant 
lav/3”. 

15. The opinion of the Attorney-General of India on the above mentioned 
issues as obtained b\ the Mi iistry of Law & Justice (Department of Legal 
Affairs) is furnished below:- 

“The compe'-enoe of the Executive is not limited tc take steps to 
implement tne law proposed to be passed by Parliament. Executive 
Power operates independently The Executive is not implementing the 
provisions of the Bill. The Authority presently functioning under the 
Executive Notification dated 20 th January, 2009 is doing so under valid 
authority and there is nothing in lav/ or otherwise which prevents the 
Authority from fi nctioning under the Executive Authorisation. 

The power of Executive is clear and there is no question of 
circumventing Parliament or ihe Executive becoming a substitute of 
Parliament. On the conlrary, what is sought to be done is to achieve a 
seamless transition of the authority from an Executive Authority into a 
statutory authority. 

All the expenditjre which is being incurred is sanctioned by Parliament 
in accordance vith the fi lancial procedure set forth in the Constitution. If 
the Bill is nol passed by any mason and if Parliament is of the view that 
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The present Bill being implemented without Parliaments' approval does 
not set a bad precedent in the Parliamentary form of Government. On 
e contraiy, the fact that the Authority is sought to be converted from an 

executive Authority to a statutory authority, it underlines the supremacy 
of Parliament”. 

16. On this issue, Dr. Usha Ramanathan, Expert, in her post-evidence reply 
has inter-alia stated that:- 

Article 73 of the Constitution delineates the extent of executive power of 

the Union and describes it as extending to matters with respect to which 
Parliament has power to make laws. . 

While the executive power of the Union, and of the States, is co¬ 
extensive with the legislative power of the Union and the States, this is a 
prov.sion that sets cut the limits of the power These are not provisions 
that are meant to make Parliament, or the legislatures, redundant. While 
executive power cannot extend beyond the legislative power of the 
Union and the States, Parliament and the legislatures can, and routinely 
do, set out the terms on which the executive is to function. This is also 

how 'delegated legislation' or 'subordinate legislation’ has to be within 
the extent of the 'parent statute'. 

It is a plain misconception to think that the executive can do what it 
pleases, including in relation to infringing constitutional rights and 
protections for the reason thai Parliament and legislatures have the 
power to make law on the subject" 

£E. UID scheme 

17. A resident who seeks to obtain an aadhaar number shall provide his / 
her demographic and biometric information to enrolling agencies appointed by 
Registrars. A resident who does not possess any oocumentary proof of identity 
or proof of address can obtain an aadhaar number by being introduced by an 

1/ introducer. 

18. The UIDAI has executed Memoranda of Understanding (MoU) with the 
partners including all the States and Union Territories, 25 financial institutions 
(including LIC) to act as Registrars for implementing the scheme. The roles 
and responsibilities of the partners flow from the MoU. 



the Authority should not function and express its wiii to tnat effect the 
exercise would have to be discontinued. This contingency does’ not 
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19. The UIDAI requires only basic identity data such as lame, ago, gsndei, 
address and relationship details in case of minors, for issue of unique identity 
number. This is commonly known as Know your Resident iKYR). The partner 
registrars are using this resident interface as an opportunity to update their own 
selected data bases such as ration card number, MGNREG'S job card number, 
PAN card etc. This is commonly known as 'Know your Resident Fius’ (KYR+). 
Collection of these information is purely an initiative of respective Registrars 
and not mandatory for issue of aadhaar number. 


20. The UIDAI is coil acting bare minimum demographic 'information from the 


residents; any other kind oi infon nation, viz., mral, semi-urben and urban areas, 
persons with disabilities, m*grani unskilled and unorganized workers, nomadic 
tribes and others who do not nave any permanent dwelling house, is not. 


available with UIDAI. Asked how the coverage of marginalized sections of 
population, without having the data of aadhaar numbers issued to them, could 
be achieved, the Minis'ry has submitted that the Authority oroposes to cover 
the marginalized ano poor sectionis ol the population throug h special enrolment 

t 

camps organized for the m. i 


21. In a news item dated 6 th September, 2011, it has been reported that the 
Ministry of Home AffaJrs. have identified flaws <n the enrolment process followed 
by the UIDAI, citing esses where people have got aadhnar numbers on the 
basis of false affidavits. i 


22. Further, an expert has brought to the notice of the Standing Committee 

i 

on Finance that issues of liability and responsibility for maintaining accuracy cf 
data on the Register, conducting identity checks and ensuring the integrity of 
the overall operation cf the UIDjscheme have not been resolved. On being 
asked to comment on this, the Ministry of Planning have submitted a written 

reply as follows;- 

“.Registrars nave to put processes in place to ensure that the data 

collected is accurate. It is also the responsibility of the Registrars to 
appoint verifiers (for verifying the documents presented by the resident) 
and introducers to handle leases where the residents do not have any 
documents". ; 
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23. It has been reported in a news item that the Ministry of Home Affairs 
have alleged that some of the registrars have not adhered to the laid down 
procedures under UIDAI. It has also been noticed that the Government of 
Kerala vide G.O.(MS)No:16/2011/ITD dated 3 rd June, 2011 has inter-alia stated 
that the MoU was signed between UIDAI and Government of Kerala for 
implemenation of the UID project suoject to condition that the clauses on the 
standards, protocol, criteria etc. in the MoU shall be in accordance with the 
State IT policy 

F. Globa! Experience 

24. U has been brought to the notice of the Standing Committee on Finance 
that on the basis of the findings of London School of Economics (LSE) report, 
the Government of United Kingdom has abandoned iis ID project (repealed its 
Identity Cards Act, 2006) citing a range of reasons, which includes high cost, 
unsafe, untested and unreliable technology, and the changing relationship 
between the state and the citizen etc. 

To a specific issue of relevance of any of the above mentioned factors in 

the Indian context, it nas been informed by the Ministry as follows:- ' 

“There are significant differences between the UK’s ID card pro*eci and 
the UID project and to equate the two would not be appropriate. The 
differences are as follows:- 

a) The UK system involved issuing a card which stored the information 
of the individual including their biometncs on the card. UID scheme 
'nvolves issuing a number. No card containing the biometric information 
is being issued. UK already has the National insurance number which is 
used often as a means to verify the identity cf the individual. 

b) The statutory framework envisaged made it mandatory to have the UK 
ID card. Aadhaar number is not mandatory. 

c) The data fields were large and required the individual to provide 
accurate information of all other ID numbers such as driver's license, 
national insurance number and other such details thereby linking the UK 
ID card database to all other databases on which the individual was 
registered. UID Scheme collects limited information and the database is 
not linked to other databases. 
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d) In UK, the legislative framework and structure approached it from a 
security perspec:ive. The context and need in India is different. The UID 
scheme is envisaged a:;, a mean to enhance the delivery of welfare 
benefits and sen'ices”. 


25. When asked as to whether any analysis has been carried out on the 
experience of countries where National iDs are in use as well as countries 
where it has been discontinued, the Ministiy nave intir-alia informed the 

Committee in a written reply as toiiows:- 

"In some countries the u;.e of smart cards to store s ignificant data about 
the resident added to concerns about ID fraud and cupUcation. 


The comparisons between developed countries, which are looking at 
additional ID forms from a security perspective, versus India, a 


developing country whicn, like Brazil and Mexico, in attempting to, build 
the basic identity and verification infrastructure essential to delivering 
welfare benefits, and promoting inclusive growth, is not a reasonable 


one 


» 


G. Existing identity forms vs need for aadhaar number 

26. A view has been expressed that adding another form of identity (i e. 
aadhaar number) without studying the possibility of using the existing forms of 
identity, for example, Voter ID card, to solve the current ppjblems appears to be 
a waste of resources. 

27. The Ministry of Planning in a written submission lave inter-alia stated 
the following:- 

*.in the cuirent framework there is no single document which is 

uniformly acceptable as proof of identity across hdia - irrespective of 
age, gender and fare ilia! connections. Establishing identity is a 
challenge for the poor, particularly when they move from place to place 
as a consequence lack of proof of identity makes't difficult for the poor 
to access bene Its and services. 

.Aadhaar number is an enabler.The beneiTs of aadhaar number 

are:- 

“For residents: The aadhaar number will become 1 the single source of 
identity verifies tion. Once residents enroll, they can use the number 
multiple times *• they would be spared the hassle cf repeatedly providing 
supporting identity documents each time they wish to access services 
such as obtaining a bank account, passport, driving license, and so 
on.. . the numfcer will aluo give migrants mobility of identity. 
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Foi Registrars and enrollers: The UIDA! will only enroll residents after 
de-OL'plicaung records. This will help Registrars clean out duplicates 
from their databases, enabling significant efficiencies and cost savings. 
For Registrars focused on cost, the UIDAI's verification processes will 
ensure lower Know Your Resident (KYR) costs. For Registrars focused 
on social goals, a reliable identification number will enable them to 
broaden their reach into groups that till now. have been difficult to 
authenticate. The strong authentication that the aadhaar number offers 
will improve services, leading to better resident satisfaction 

Fcr Governments: Eliminating duplication under various schemes is 
expected to save the Government exchequer a substantial amount. It will 
also provide Governments with accurate data on residents, enable direct 

benefit programs, and allow Government departments to coordinate 
investments and share information”. 

28. The Ministry have further added that: 

—reason for starting the project is not for overriding existing Ids Al! 

ti-.e above documents are relevant to a domain and for a' service' 

Aadhaar number is to be used as a general proof of identity and oroof o f 
address”. 

H. Identity end Eligibility 

29. According to a news item dated 7 th July, 2011, the operationalisation of 
aadhaar, the unique identification number, will make it possible to link 
entitlements to targeted beneficiaries. 8ut it will not ensure boncficiaries have 
been correctly identified. Thus, the old problem of proper identification that 
bedevils the present system will continue. 

30. It has also been brought to the notice of the Standing Committee on 
Finance that a key issue in targeted welfare schemes is said to be of eligibility 
and not identity. Government entitlements are unavailable to the poor, primarily 
due to the eligibility determination process having many loopholes and lacunae. 
One identity like aadhaar number has nothing tc do with such entitlements. 

31. Asked to furnish comments, the Ministry of Planning in a written reply 
have stated that- 

“....With aadhaar number integration in various Government schemes, 
the identity of the beneficiary gets established, by which it is ensured 
that the government scheme benefits reach the intended beneficiaries. 
Availability of identity and eligibility information together provides an 
important tool to plug the loopholes in the eligibility determination 
process, and in managing the eligibility life cycle for a beneficiary”. 




32. Dr. Reetika Kliera, Expert, while deposing before the Committee has 
inter-alia stated as follows:- 


“.exclusion is. moie on account of poor coverage of these 

schemes. Say, for instance, in the Public Distribution System, the 
Planning Commission says that only 'x' per cent of the rural population 
will get the 3PL cards ard because of that cap that is set at the Central 
leveT, we find that lots of peop'e are excluded". 


I. Aadhaar Number and National Population Register (NPR) 

33. The Standing Committee on Finance, during beefing on the Bill held on 

II , h February, 201 \ raised intvt-eha the issue of possibil tv of dovetailing the 
UID exercise with the census operation, in ih<s regard, the Minhtry of Planning 


in their written reply have, amor g other things, stated as fo lows:- 

“ ....the UIDAI is adopting a multiple registrar appioach and the Registrar 
General of Indie (RGI) will be one of the Registrars of the UIDAI. To 
synergize the two exercises, en Inter Ministerial Coordination Committee 
has been set up to minimize duplication The UID A is making all efforts 
to syriergize with National Population Register (NPR) exercise....”. 


34. According to a news item dated 6 l " September, 2011, the Ministry of 
Home Affairs said that it wouM no; be preferable to reiy entirely on private 

r 

sector players' for biometric enrolments, into the NPR since the population 
register will form the basis on which citizenship would tie determined in the 
future. Unlike the UIDAI system, trie NPR system foilows an elaborate 
procedure to verify and cover the entire population of eve y area, and the data 
collected is subjected to 'social vetting': and accountability can be fixed under 
the NPR system. 


35. In an another n=iws article it has been reported that while registration to 
the NPR is compulsory and a National identity Number is linked to each name, 
the Citizenship (Registration o ; Citizens and Issue of National Identity Cards) 
Rules, 2003 does not approve of linking biometrics with personal information. 
However, according to, the annual reports of the Ministiy of Home Affairs, it 
said that integration cf photographs and finger biometrics of 17.2 lakh out of 
20.6 lakh records has been compleied. 
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J. Coordination between the agencies involved in the uID scheme 

36. Iri a detailed note on the NIDAI Bill, the Ministry of Planning have inter- 
alia submitted that - 

“Implementation of a project of this size is challenging. It involves co¬ 
ordination with multiple stakeholders and effective monitoring of 
implementation at every level....". 

37. The Ministry of Finance (Department of Expenditure), however, while 
commenting on embedding aadhaar numbers in databases to enable 
interaction have stated that:- 

“It must be done urgently by single agency, perhaps NPR. Cabinet has 
approved (22.7.2010) outlay o' Rs. 3,023.01 crore inter-alia for 
assistance for Information Communication Technology (ICT) 
infrastructure of Rs. 450 crore for integrating/ synergizing ° Aadhaar 
numbers with existing databases. Concerned about lack of co-rdination 
leading to duplication effort and expenditure with at least 6 
agencies collecting information (NPR. MNREGA, BPL Census, UID 
RS8Y and Bank Smart Cards)”. 

38. It has been reported in a news item dated 3 rd October, 2011 that the UID 
project has become focus of the ire of various arms of the government for 
rather disparate reasons. Asked to furnish the comments on the said news 
item, the Ministry of Planning have submitted a written reply as follows:- 


i Views reported in the news item 

■ 

i 

< 

t 

Comments of the Ministry of 
Planninq 

.. .the Finance Ministry rejected 
UlOAI's request for Rs. 14,000 crore 

j expenditure programme. 

* 

1 

4 

t 

t 

( 

t 

• 

1 

1 

1 

1 

1 

1 

i 

1 

1 

1 

It is not correct that the Finance 
Ministry have rejected the budget 
expenditure. The proposal for phase 
III has been recommended by the 
EFC on 15 September, 2011 after 
optimizing the cost estimates with 
certain stipulations to be complied with 
by the UIDAI to achieve economy of 
scales, avoid duplication and avail 
convergence in the programme. 

..the planning commission too 
jumped into the fray, suddenly 
awakening to the deficiency in the 
structure and functioning of the 
Authority. 

Aadhaar programme is a complex 
project of its kind launched first time in 
the country. EFC is an Inter- 

Ministerial forum to appraise the 
proposal rigorously to facilitate 
decision making by the Competent 
Authority. Planning Commission is 
one of the nodal apprising agencies to 
the EFC forum. On approval by 
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Planning Commission some issues 

regarding design parameters, cost 
estimates and manner of 


Adding to the confusion were the 
apparently negative comments made 
by the Ministry of Home Affairs(MHA) 
on the flaws in the emtolment piocess 
and the security of Line biometric data. 
The Home Ministry s apparently 
nervous of the UIDAi's efforts tc 
extend its aadnaar enmimen 1 
mandate, as the office of the Rcgistrai 
Genera 1 of India, ar arm of the 
Ministry, is simultaneously compiling e 
National Population Register (NPRi 
which is a comprehsnsive identity 1 
database, as a part of the 2011 
census operations currently under 
v/ay. j 


The confusion about tie turf c UIDAI 
and the MHA is rather su rprising, 


implementation were emerged, which 
could not be visualized at project 
formulation stage. These issues have 
been deliberated h the EFC meeting 
and resolved through certain 
stipulations tc be cdhered to by UIDAI 
during execution oi the project. 


While responding lo the EFC memo cf 
the UIDAI, the RG! (MHA) have 
observed as follows - 
A security audit o the entire process 
of UIDAI including enrolment process 
in UIDAI, the enro ment software, data 
storage, dala nanagement, etc 
should be conducted by an 
appropriate agencv. 

The Comments of the UIDAI on tills 
are:- 

UIDAi is developirg a monitoring and 
evaluation framework to provide a 
comprehensive mechanism for 
continuously monitoring' and 
evaluating the UIDAI program. 
Considering that a formal structured 
monitoring arid evaluation framework 
wilt form the cornerstone for 
measuring the outcome of UIDAI 
programme, a distinct component 
'Monitoring and evaluation’ has been 
included in the cui rent EFC proposal. 
Some of the audits planned on a 
periodic basis ore:- (i) Enrolment 
Client Audit; (ii) Enrolment Process 
(Field) Audits; (iii) ASDMSA 
Application Audits; (iv) Authentication 
User Agency Audits; (v) Data Center 
Audits; (vi) Security Audits; (vii) Impact 
Assessment (Grants in Aid for 
Research); and (viii) Other Third Party 
Audit Services. 


UIDAI has no comments to offer. 
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given the fact that an EGoM was 
j constituted as early as 2006 to collate 
| the two schemes, namely the NPR 
and the unique identification number, 

asaadhaarwas then known. 


RBI made the waters murkier by first It is clarified that- 



•' going against the Finance Ministry 
, notification that was issued in 2010 to 
; permit the use of Know Your 
j Customer (KYC) norms- by limiting the 
use of aadhaai numbers to “small 
accounts 1 '. It then retracted, by 
allowing use of aadhaar numbers to ail 
I bank accounts without any limitations, 
but only after again insisting that the 
banks must satisfy themselves about 
the current address of the customer. 
RBI’s reluctance to fully accept- the 
aadhaar numbers for the KYC norms 
is surprising, given that more than a 
I dozen leading banks in the country 
j are partnering with UIDAI to deliver 
| aadhaar numbers to the citizens, and 
j also when the aadhaar number have 
been accepted by the insurance 
companies and SE8I for meeting KYC 
norms. _ 


0 ) aadhaar is sufficient KYC for 
opening all bank accounts now. This 
includes no-frill accounts- as per 
Reserve Bank's circular dated January 
27. 2011 - and any bank account as 
per September 28, 2011 circular. 

00 Banks may ask for additional proof 
of residence if tho current residence 
is not the same as the address given 
on the aadhaar document. This 
procedure is consistent with bank 
policies applicable to all other officially 
valid documents including passport, 
driving license and is not specific to 
aadhaar 


J 


K. Civii Liberties Perspective 

39. In a detailed note on the 8«i, the Ministry of Planning have stated that 
issues like access and misuse of personal information, surveillance, profiling, 
prohibiting other data bases from storing aadhaar numoers; and securing 
confidentiality of information which is in the registrars domain need to be 
addressed in largei data protection legislation. In this connection, the Ministry 
nave been asked to comment on the view that the Bill in its current form 
appears to be unsafe in law as there is no law at present on privacy, and data 
protection, therefore, it would be appropriate to consider the Bill for legislation 
only after passing the legislation on privacy, and data protection so as to 
ensure that there is no conflict between these laws: The Ministry in a written 
reply have inter-alia stated as under: - 
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"UiDAl has taken appropriate steps to ensure security 



data under this law anc has incorporated data protection principles 
within its policy and implementation framework. 


Since appropriate steps have been taken, there is no dependency on the 
general data protection law. . ..when the data protection framework 
comes into place the Authority will follow the same since a national data 

protection lav/ will apply to all agencies and institutions collecting 
information. 

Collection of information without a privacy law in place does not violate 
the right to privacy of the individual....There is no bar on collecting 
information, the only rei|uireirient to be fulfilled with respect to the 
protection of .he privacy of an individual is that care: should be taken in 
collection and jse of information, consent o f i "dividual would be 
relevant, information shoi.id be kepi safe and confidential.. 


.The proposed Privacy law snould also seek to strike a balance 

between the legitimate demands of protecting individual liberties 
while recognizing the need for larger puDlic interesi to prevail in certain 
well defined circumstances". 


40. Responding io a suggeslion received from PRS Legislative Branch that 
the existence of a unique identifier may facilitate record linkages across 
separate databases, the Ministry in a written reply have submitted that issues of 
• linking and matching of databases need to be addressed through a data 

protection legislation which is currently being considered by the Department of 
Personnel. 


41. The National Human Rights Commission (NHRC;, on being asked to 
comment on the implications of the provisions of the Bill on the individual's right 

to privacy, has inter aha informed the Committee in their post-evidence reply as 
follows:- 


....the right or privacy presupposes that such mfoimation relating to an 
individual which he would not like to share witi others w'll not he 
disclosed. It may be mentioned that the right of privacy is not an 
absolute right.” 

42. On the same issue, Dr Jshs Ramanathan, expert in her post-evidence 

reply has stated thaf:- 

“....7 he right to dignity, I he right to privacy, personal security and safety, 
the protection against surveillance, are constituti onally protected. The 
production of ? numbei accompanied by the use of methods such as 
fingerprinting a id iris scanning is even more invasive than is permitted to 
be applied to a leged offenders. Article 20 (3) provi les protection against 
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compulsory extraction of personal information. Denying services, and 
rights, to persons because they are unwilling to part with the information 
in a manner that is more than likelv to result in convergence and 
commodification of their personal information, surveillance, profiling, 
tagging and tracking is compulsory extraction that clearly reduces the 
constitutional rights of an ordinary citizen to less than that of an alleqed 
offender. And that this is being done without the protection of law 
renders the exercise, pei se, illegal. Apart from its 'uses', the potential for 
abuse is undeniable. In a similar context, another court - the PhilioDines 

Supreme Court - said: .the data may be gatheied foI gaSand 

useful government purposes; but the existence of this vast reservoir of 
personal information constitutes a covert invitation to misuse, a 
temptation that may be too great for some of our authorities to resist".' 

l. Financial Implications 

U) Feasibility Study 

4 3 The Ministry of Planning in a detailed note on the Bill ha*/e stated that 

uadhaar number is cost-effective compared to other alternate targeted solutions 

to the problems identified in delivering services and benefits such as eliminating 

duplicate and fake identities. The Detailed Project Report (OPR) of the UiD 

scheme has been prepared and submitted by M/s Ernst & Young Pvt.Ltd. in 
April, 2011. 

* 

44. Asked whether any committee has been set up to study the financial 
implications of the UID scheme; and also to furnish the details of feasibility 
Study Carried out, if any, covering ail aspects of the UID scheme such as setting 
up of the proposed NIDAI, and cost-benefit analysis, the Ministry in a written 
reply have, among other things, submitted that:- 

‘No committee has been set up to study the financial implications of the 
UID scheme. As per laid down guidelines/procedure the Expenditure 
Finance Committee (EFC) reviews project proposals and its financial 

implications wherein the views of all stakeholders/ministries are taken in 
to account... 

i 

.deliberations were held with all relevant stakeholders including 

Planning Commission, Registrar General of India, Election Commission 
of India, Ministry of Rural Development. Ministry of Urban Development 
and State Governments. A Proof of Concept study was undertaken in 
the States of Gujarat, Karnataka, U.P. and Orissa in four rural and one 
urban locations to establish the feasibility of linking UID with partner- 
databases and to validate the possibility of one-time linkage which once 




I 


established would be maintained on an ongoing bas s by the UIDAI An 
assessment stucy was carried out in 10 Central Ministries and their 
respective departments ir four states (Karnataka, UFar Pradesh, Gujarat 

and West Bengal". 


(ii) Estimated coat of the UVD scheme 

45. The UIO scheme is a Central Sector Scheme. The estimated cost of the 
Phase-I and Phase-sl o' the scheme spread over five years is Rs.31 /0.32 crore 
(Rs. 147.31 crore for Phase-1 anil Rs.3023.01 crore for Phase-ll). The estimated 
cost includes scheme components for issue of 10 crore UiC 1 numbers by March, 
2011 and rscuming establishment costs for the entiie scheme up to March, 
2014. The Eludget for Phase-Ill of the scheme to the tune )f Rs.8861 crore has 

been approved. 


46. According tc news items, the total cos* of the UID scheme may run up tc 
Rs. 1.50,000 crore. E"8n after the commitment of such levels of expenditures, 
the uncertainty over he technological options and ultimate viability of the 
scheme remains. 


(iii) Comparative cost of aadhaai number and existing ID documents 

47. Asked tc fun iisi the details ol comparative cost of € xisting ID documents 


(per individual), namely, Voter Id card, PAN card, driving license and aadhaar 
number, the Minist ‘7 has inter-alia informed the Committee in a written reply 
that the comparative costs of the documents mentioned above are not 

available. 

(iv) Funding of other biometric projects 

48. It is noticed that a project namely, Bharatiya * Automated Finger Print 
Identification System AFSI), was launched in January, 2009, being funded by 
the Department ol Information Technology, Ministry/ of Communications and 
Information Technology, for collection of biometric information of the people of 


the country. 


49. Asked to clarify as to whether the biometric information (Finger prints) 
being collected undei the Bharatiya - AFSI project could also be used by the 
UIDAI, the Ministry hsve submitted that- 
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“The biometrics required for the aadhaar project are iris, ten fingerprints 
and photograph. To ensure uniqueness of the individual, it is essential 
that the biometrics captured are as per the specifications laid down by 
the Biometrics Standards Committee. The quality, nature and manner of 
collection of biometric data by other biometric projects may not be of the 
nature that can be used for the purpose of the aadhaar scheme and 
hence it may not be possible to use the fingerprints captured under the 
Bhartiya-AFSI project". 

(v) Revenue model of the UIDAI 

50. According to a detailed note on the biil furnished by the Ministry of 

Planning, demographic data and addiess verification will be provided free of 
cost till a separate pricing policy *s announced in due course. 

51 However, in a news item uated 6 th September, 2011, it has been 

reported that the Ministry of Home Affairs pointed out uncertainties in the 
UlOAI's revenue model. 

M. Technology 

52. The Biometrics Standards Committee set up by the UIDAI has 

recognized in its report that a fingerprints-based biometric system shall be at 

the core of the UIDAI’s ae-duplication efforts. It has further noted that it is: 

...conscious of the fact that de-duplication of the magnitude required by 
the UIDAI has never been implemented in tne world. In'the global 
context, a de-duplication accuracy of 90% has been achieved so far, 
using good quality fingerprints against a database of up to fifty million.’ 
Two factors however, raise uncertainty about the accuracy that can be 
achieved through fingerprints. First, retaining efficacy while scaling the 
database size from fifty million to a billion has not been adequately 
analyzed. Second, fingerprint quality, the most important variable for 
determining de-duplication accuracy, has not been studied in depth in 
the Indian context". 

« 

53. Asked to explain the reliability of technical architecture of the UID 
scheme, the Ministry of Planning in a detailed note on the NIDAI Bill have, 
among other things, stated as follows:- 

“The UID project is a complex technology project. Nowhere in the world 
has such a large biometric database of a billion people being 
maintained. The frontiers of technology in biometrics are being tested 
and used in the project. 

The technical architecture of the UID scheme is at this point, is based on 
high-level assumptions. The architecture has been structured to 
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ensure clear data verification, autefata and <b 

ensuring a high le vel of privacy and information security 



The Droject leam is learning and adapting to the challenges and 
ensuring that the solutions that are being offered are the best in the 
world to achieve the task....”. 


54. Further asked as to given (he high degree of Essumptions on the 
reliability of technology adopted by the UIDAI and probability of system failures 
of different degrees, whether incurring huge costs on he UID scheme is 
prudent and affordable, the Ministry have stated in a written reply, among other 


things, as foiiows - - 

“.UIDAI is cognizant cf the fact that biometric matching (which is a 

patterns matching) by ‘is very nature will suffer from inaccuracy. 
However, these inaccuracy levels are less than 1 ' / o This cannot be a 
reason for not attempting to use the technology. 

It is well ackrio'vledged that there will be failures in authentication foi 
various reasons. After Proof of Concept studies on authentication, 
appropriate policies and processes will be developed to take care of 
situations where failure occurs for various reasons.....! he choice of 
using the authentication services is left to the third party service 

provider.Concerned agencies will have to develop policies and 

procedures to handle such exceptional situat'ons. .. 


55. In a news articla, one o: the representatives of tne UIDAI nas admitted 
that the quality cf fingerprints is bad because of the rough exterior of fingers 
caused by hardwork, End this poses a challenge for later authentication. 

N. National Security vs the UID scheme 

(i) Illegal residents 

56. A concern over the possibility of illegal residents getting aadhaar 

* 

numbers, and the safeguards in this regard has been mised by the Standing 
Committee on Finance during the sitting held on 11 February, 2011. In a 

written reply, the Ministry of Ph inning have st3t@d 

"Aadhaar number is not a proof of citizenship or domicile [Clause 6 of 
the Bill]. It ony confirms identity and that too subject to authentication 
[Clause 4(3)]. This is clearly mandated in the NIDAI Bill and the 
communicaior being sent to fhe resident. 

It is the responsibility of the Registrars to enrol a resident after due 
verification as per the procedure laid down by the UIDAI. If a person is 
not a resident as per the Bill, the Authority is being vested with the power 
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to omit/deactivate the aadhaar number [Clause 23 (2) fg)]. Subsequent 
atiempts to enter the system can be detected" 

(ii) Involvement of Private agencies 

57. On the issue of security of proposed data of UIDAI. an unstarred 
question (no.2989) was raised in Rajya Sabha. The Minister of State in the 
Ministry of Planning and Minister of State in the Ministry of Parliamentary 
Affairs tabled the answer to the above said question in Rajya Sabha on 22 
April, 2010 as follows:- 

“Nationa!. Informatics Centre (NIC) had pointed out that the issues 
relating to privacy and security of UID data, in case the data is not 
hosted in a Government data centre may be taKen into consideration. 

UIOA 1 is of the opinion that the hosting of data in a private data centre 
does not necessarily lead to a violation of privacy or security. 
Appropriate contractual arrangement shall be put in place with the data 
centre space provider to ensure security and privacy of the data. 

At present, UIDAI does not have its own permanent facility to house its 
data centre. Therefore, 75 sq.ft of data centre space has been hired 
from M/s. ITI Ltd. for proof of concept and pilot on a rental basis". 

58. The Ministry of Home Affairs, according to a news item, have questioned 
the security of citizens' biometric data in UIDAl's ‘outsourced service oriented 
infrastructure' model. 

59. To a specific query as to could outside agencies be allowed to partake in 
the UID scheme when doubts have been expressed on possible compromise 
with the interests of the national security, the Ministry of Planning in a written 
reply have inter alia stated that:- 

♦ 

“....the UIDAI has followed government procurement process and 
engaged tiie appropriate agencies for the implementation of the UiD 
scheme....The UIDAI has also implemented a comprehensive 
information security policy.” 

60. It is, however, reported in various news articles as late as dated 26 th 
November, 2011 that controversies between the Ministry of Home Affairs and 
the UIDAI over the issues such as manner and processes followed by the 
UIDAI, duplication of efforts between National Population Register and 
aadhaar, and security of data remain unresolved. 
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OBSERVATIONS / RECOMMENDATIONS 

1. The Committee have carefully examined the written information 
furnished to them and heard the views for and against the National 
Identification Authority of India (NIDAI) Bill from various quarters such as 
the Ministry of Planting, the Unique Identification Authority of India 
(UIDAI), the National Human Rights Commission (NdRC) and experts. 
The clearance of th<» Minisi’Y of Lav/ S. Justice for Issuing aadhaar 
numbers, pending passing the Bill by Parliament, cn the ground that 
powers of the Exeout ve are coextensive with the legislative power of the 
Government and that the Government is not debarred from exercising its 
Executive power in the areas which are not regulated oy the legislation 
does not satisfy trie Committee. The Committee are constrained to point 
out that in the instani case, since the law making is underway with the bill 
being pending, aoy executive action is as unethical and violative of 
Parliament's prerogatives as promulgation of an ordinance while one of 
the Houses of Parfiarnent being in session. 

2. The Committee are suiprised that while the country is on one hand 
facing a serious problem of illegal immigrants and inf Itration from across 
the borders, the National identification Authority of India Bill, 2010 
proposes to entitle every resident to obtain an aadhaar number, apart 
from entitling sucii other category of individuals as may be notified from 
time to time. This will, they apprehend, make even illegal immigrants 
entitled for an aadhaar number. The Committee are unable to understand 
the rationale of expanding the scheme to persons wha are not citizens, as 
this entails numerous benefits proposed by the Government. The 
Committee have received a number of suggestion.; for restricting the 
scope of the UID scheme only to the citizens and for considering better 
options available with the Government by issuing Multi-Purpose National 
Identity Cards (MNICs) as a more acceptable alternati ve. 
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3. The Committee observe that prima facie the issue of unique 
identification number, which has been referred to as “aadhaar number” to 
individuals residing in India and other classes of individuals under the 
Unique Identification (UID) Scheme is riddled with serious lacunae and 
concern areas which have been identified as follows:- 



The UIO scheme has been conceptualized with no clarity of 
purpose and leaving many things to be sorted out during the 
course of its implementation; and is being implemented in a 
directionless way with a lot of confusion. The scheme which 
was initially meant for BPL families has been extended for all 
residents in India and to certain other persons. The Empowered 
Group of Ministers (EGoM), constituted for the purpose cf 
collating the two schemes namely, the UIO and National 
Population Register(NPR), and to look into the methodology and 
specifying target for effective completion of the UID scheme, 
failed to take concrete decision on important issues such as (a) 
identifying the focused purpose of the resident identity 
database; (fc) methodology of collection of data; (c) removing 
the overlapping between the UID scheme and NPR; (d) 
conferring of statutory authority to the UIDAl since its inception; 
(e) structure and functioning of the UIDAl; (f) entrusting the 
collection of data and issue of unique identification number and 
national identification number to a single authority instead of 

i 

the present UIDAl and its reconciliation with National 

Registration Authority; 

* 

The need for conferring of statutory authority to the UIDAl felt by 
the Government way back in November, 2008, but was deferred 
for more than two years for no reason. In this regard, the 
Ministry of Planning have informed the Committee that till the 
time Parliament passes the.NIDAI Bill, crucial matters impinging 
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on security unrt corfidentalRy ot inlormatian will be covered by 

the relevant laws. The Committee are at a loss to undeistand as 
to how the UIDAI, without- statutory power, could address Key 


issues concerning their basic functioning and initiate 


proceeding.*', against the defaulters and penalize them; 



(«) 



The collection of .n'ometric information and its linkage with 
personal information of individuals without amendment to the 
Citizenship Act, 19: 5 av. well as ihe Citizenship (Registration of 
Citizens and Issue of National Identity Cards) Rules, 2003, 
appears to fce beyond the scope of subordinate legislation, 
which needs to be examined in detail by Par'iameni; 


(d) Continuance of various existing forms of identity and the 
requirement of furnishing ‘other documents’ for proof of 
address, even afte, issus of aadhaar number, would render the 
claim made by the Ministry that aadhsar number is to be used as 
a general proof of identity and proof of address meaningless; 


(e) In addition to aadhaar numbers being issued by the UIDAI, the 
issuance of sran-f cards containing information ot the 
individuals by the registrars is not only a duplication but also 
leads l© ID fraud as prevalent in some countries; and 


(f) The full or near full coverage of marginalized sections for 
issuing aadhaar ninnbeis could not be achieved mainly owing to 
two res sons viz. Ji) the UIDAI doesn’t have the statistical data 
reiating to them; and (ii) estimated failure of biometrics is 
expected to be as high as 15% due to a large chunk of 
population being dependent on manual lab our. 

4. The Commit:ee regret to observe that despite the presence of 
serious difference of opinion within the Government on the UID scheme 
as illustrated bslow, the scheme continues to bu implemented in an 
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(Hi) 


overoearing manner without regard to legalities and other social 
consequences:- 

(i) The Ministry of Finance (Department of Expenditure) have 
expressed concern that lack of coordination is leading to 

\j duplication of efforts and expenditure among at least six 
\^/\ agencies collecting information (NPR, MGNREGS. BPL 
I 'census, UIDAI, RSBY and Bank Smart Cards): 

(ii) The Ministry of Home Affairs are stated to have raised 

ya serious security concern over the efficacy of introducer 

\\ system, involvement of private agencies in a large scale 

' f } . \ \ in the scheme which may become a threat to national 

jy ,/k ] \ 

vi security; uncertainties in the UIDAI’s revenue model; 

(iii) The National Informatics Centre (NIC) have pointed out 
that the issues relating to privacy and security of UID data 
could be better handled by storing in a Government data 
centre; 

(iv) The Ministry of Planning have expressed reservation over 
the merits and functioning of the UiDAI; and the necessity 
of collection of iris image; 

(v) Involvement of several nodal appraising agencies which 
may work at cross-purpose; and 

(vi) Several Government agencies are collecting biometric(s) 
information in the name of different schemes. 

5. The Committee are also unhappy to observe that the UID scheme 
Jacks clarity on many issues such as even the basic purpose of issuing 

r 

“aadhaar” number. Although the scheme claims that obtaining aadhaar 
number is voluntary, ar. apprehension is found to have developed in the 

« c aa --- - — " ". 

minds of people that in future, services / benefits including food 
entitlements would be denied in case they do not have aadhaar numbeT. 




it is also noi clear as to whether possession of aadhaar number -^ 
would be made mandatory in future fcr availing of benefits and services. 

Even if the aadhaa; number links entitlements to targeted beneficiaries, it 
may not ensure that aeneficinries have been correctly identified. Thus, 
the present problem cf proper identification would persist. 








it is also r.ot claar that the UID scheme would continue beyond the 
coverage of 200 million of the total population, the mandate given to the 
UIDAI. in case, the Government does not give further naridate, the whole 

i 

exercise would become futile. 




6. Though there are significant differences be ween the identity 
system of other countries and the U«D scheme, yet there are lessons from 
the global experience to be learnt before proceeding with the 
implementation of the UID scheme, which the Ministry of Planning have 
ignored completely. For instance, the United Kingdom shelved its 
identity Cards Project for a number of reasons, which included:- (a) huge 
cost involved and possible cost overruns; (b) too complex; (c) untested, 
unreliable and unsafe technology; (d) possibility of risk to the safety and 
security of citizens; and Je) requirement of high standard security 
measures, which wxild result in escalating the estimated operational 
costs. In this context, the Report of the London School of Economics’ 

Report on UK’s identity Project inter-alia states that".identity systems 

may create a range of new and unforeseen problems.the risk of failure 

in the current proposals is therefore magnified to the point where the 
scheme should be regarded as a potential danger to the public interest 
and to the legal rights of individuals". As these findings are very much 
relevant and applicable to the UID scheme, they should have been 
seriously considere d. 





7. The UID scheme facilitates the UIDAI and the registrars to create 
database of information of people of the country. Considering the huge 
database size and possibilily of misuse of information, the Committee are 
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of the view that enactment of national data protection law, which is at 
draft stage with the Ministry of Personnel, Public Grievances and 
Pensions, is a pre-requisite for any law that deals with large scale 
collection of information from individuals and its linkages across 
separate databases. In the absence of data protection legislation, it 
would be difficult to deal with the issues like access and misuse of 
personal information, surveillance, profiling, linking and matching of data 
bases and securing confidentiality of information etc. 



8. The Committee note that the Ministry of Planning have admitted 
that (a) no committee has been constituted to study the financial 
implications of the 'JIO scheme; and (b) comparative costs of the aadhaar 
number and vaiicus existing ID documents are also not availeole. The 
Committee also note that Detailed Project Report (DPR) of the UID 
Scheme has been done much later in April, 2011. The Committee thus 
strongly disapprove of the hasty manner in which the UID scheme has 
been approved. Unlike many other schemes / projects, no 
comprehensive feasibility study, which ought to have been done before 
approving such an expensive scheme, has been done involving all 
aspects of the UID scheme including cost-benefit analysis, comparative 
costs of aadhaar number and various forms cf existing identity, financial 

implicaticns and prevention of identity theft, for example, using hologram 

« 

enabled ration card to eliminate fake and duplicate beneficiaries. 


9. The Committee are afraid that the scheme may end up being 
dependent on private agencies, despite contractual agreement made by 
the UIDAI with several private vendors. As a result, the beneficiaries 
may be forced to pay over and above the charges to be prescribed by the 
UIDAI for availing of benefits and services, which are now available free 

of cost. 
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10. The Committee find that ihe scheme is full of uncwfelmjl W 


technology as the complex scheme is built up on untested, unreliable 
technology and several a:;:sumptions. Further, despite adverse 
observations by the iJIDAI’s Biometrics Standards Committee on error 
rates of biometrics, th a UIDAi is collecting the biometric information. It is 
also not known as to whether the proof of concept studies and 
assessment studies undertaken by the UIDAI have explored the 
possibilities of maintaining accuracy to a large level of enrolment of 1.2 
billion people. Therefore considering the possible limitations in 
applications: of technology available now or in th<* near future, the 
Committee would believe that it is unlikely that the proposed objectives of 


the UID scheme conic be ach'eved. 


11. The Committee feel that entrusting the responsibility of verification 
of Information of individuals lo the registrars to ensure that only genuine 
residents get enrolled inlo- the system may have far reaching 
consequences for national security. Given the limitation of any 
mechanism such as ;» security audit by an appropriate agency that would 


be setup for verifying the information etc., it is not sure as to whether 
complete verification of information of all aadhaar number holders is 
practically feasible; and whether it would deliver the intended results 
without compromising national security. As the National identity Cards 
to citizens of India are proposed to be issued on the basis of aadhaar 
numbers, the possibility of possession of aadhaai numbers by illegal 
residents through false affidavits / introducer system cannot be ruled out. 


12. The Committee take note that the Ministry of Home Affairs have 
alleged that some cf the registrars have not adhered to the laid down 
procedures under UIDAI which renders the Memoranda of Understanding 
(MoU) signed between the UIDAI and the registrars meaningless; and it 
compromises the security and confidentiality of Information of aadhaar 
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number holders. Even, according to the latest media reports, 
controversies between the Ministry of Home Afrairs and the UIDAf over 
issues such as the manner and processes followed by the UIDAf, 

duplication of efforts between NPR and aadhaar, and security of data still 
remain unresolved. 

13. In view of the afore-mentioned concerns and apprehensions about 
the UID scheme, particularly considering the contradictions and 
ambiguities within the Government on its implementation as well as 
'implications, the Committee categorically convey their unacceptability of 
the National Identification Authority of India Bill, 2010 in its present form. 

"! he data already collected by the UIDAI may be transferred to the National 
Population Register (NPR), ,‘f the Government so chooses. The 
Committee would, thus, urge the Government to reconsider and review 
the UID scheme as also the proposals contained in the Bill in all its 
ramifications and bring foith a fresh legislation before Parliament. 


New Delhi YASHWANT SiNHA 

ILQecember, 2011 Chairman, 

29 Agrahayana ,1933 (Saka) Standing Committee on Finance 
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NOTE OF : DISSENT 


Appendix I 



SI in Raashid Alvi, MP 


I do not agree with the paragraph “13" of the draft Report on 'The 
National Identification Authority of India Bill, 2010". 


I suggest to delete 'this pura”. 


Dated: 7 December, 20 I i 


Sd/ 

(RAASMID ALV!) 
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NOTE OF DISSENT 


Prem Das Rai, MP 

The National Identification Authority of India Bill, 2010 

At the outset I do not believe that the bill should be rejected in the 
manner it has been. Since I have been inducted into the Committee recently I 
do not have the inputs that went in when the stakehoioers arid other 
Government departments were giving witness. I also do not know whether we 

gave enough time to the UID implementers to give evidence and present their 
point of view. 

Hence, i would like to place on fecord that the issue of giving out Adhaar 
numbers unaer the UID scheme, I believe, is one of the gieatest import for 
social and economic inclusion in this country. I personally am privy to tne kind 
of work that is needed at the grassroots as I was part of an organisation that did 
such work .n the North East of India and other backward legions using seme 
form of technology to bring in inclusion. 

The linking of a person to a number and then being able to make give 
access to the right to that person is transformational. It is the next phase of 
transformation that technology can bring about in our own country. This has 
never been done anywhere in the world and we should be rightly proud of this. 

I do agree there may be serious issues that need to be factored in which 
my esteemed colleagues have pointed out 

! recommend that the Dill may be discussed in Parliament bringing about 
some of the changes so desired and do not concur that the Bill be brought 
fresh 


Dated: 8 December, 2011 


Sd/- 

(PREM DAS RAI) 


NOTE OF DISSENT 


Manicka Tagore, MP 


I could not attend this meeting on adoption of the draft report on the 
National Identification Authority of India Bill, 2010 because a very important 
discussion on the price rise was going on in the Lok Sabha. The Govt, of India 
with a view to ensure that the benefit? of centrally sponsored schemes reaches 
to right persons and not misused, they had decided to issue unique 
identification numbers to all residents in India and to certain other persons the 
basic idea was to ,beatification of the persons. The Adl ar programme has 
been launched first time in India. The UIDAI official? hao taken all possible 
precautions to make the exorcise sate and secure Both demographic and 
biometric datas were collected and its method of collecting datas were 
approved by the Demote Standard arid Verification Procedure Committee 

It is surprising to know that the committee members have not yet 
recognized the value of UID. This system will cut down fraud and corruption in 
every area of administration. 

I dissent the observa;ion and recommendation cf the Standing 
Committee on Finance regarding the Draft Report on the National Identification 
Authority of India Bill, 2010. I request the Chairman that the UID bill may kindly 
be considered by the Government with our views and not rejected. 




Dated lu December, 2011 


Sd/- 

(MANICKA TAGORE) 
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Appendix II 

Minutes op the thirteenth sitting of the standing committee on finance 

(2010-11) 

The Committee sat on Friday, the 11 th .February, 20.11 from 1130 hrs to 1400 hrs. 

PRESENT 

Shri Yashwant Sinha - Chairman 

MEMBERS 

LOK SABHA 

2 Shr: Bhartruhari Mahtab 

3 Smt. Jaya Prada Nahata 

4. Shri Ravapati Sambasiva Rao 

5. Or. Kavuru Sambasiva Rao 

6. Shri Manioka Tagore 

RAJYA SABHA 

7. Shri S.S. Ahluwalia 

8 Shri Raashid Alvi 

9 Shri Piyush Goyai 
10. Shri Moinul Hassan 

S ECRETARIA T 

1. Shri A. K. Singh - 

2. Shri T G. Chandrasekhar - 

3. Shri Ramkumar Suryanarayanan - 
4 Smt. B. Visala 


Joint Secretary 
Additional Director 
Deputy Secretary 
Deputy Secretary 


WITNESSES 

Ministry of Planning 

1. Ms Sudha Piilai, Member-Secretary 

2. Shri Pronab Sen, Pr. Adviser 

3. Shri Chaman Kumar, Addl. Secretary & FA 

4. Shri C. Muralikrishna Kumar, Sr. Adviser 

5. Shri T.K. Pandey, Joint Secretary (Admn.) 

Unique Identification Authority of India (U1DAI) 

1. Shri Nandan Nilekani, Chairman 

2. Shri R.S. Sharma, Director-General 
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2 The Committee t >ok evid, mce ot tne representative. ot the Ministry of 
Planning and Unique Identification Authority of India (U DAI) in connection 
with the examination cf the National Identification Authority of India Bill, 201 . 
Major issues discussed with the representatives included, need for providing 
statutory status to the Unique Identification Authority of India (UIDAI); 
Definition of 'ResioenV; provision for de-activating the Aadhaar Number, 
collection of demographic information and biometric importation; nature of 
enrolment and speci )l measures for enrolment cf weaker sections. e 
Chairman directed U,r representatives to furnish replies to the points raiseo 

during the sitting within one week. 
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Ths witnesses than withdrew. 

A verbatim record of proceedings was kept 
The Committee then adjourned. 
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MINUTES OF THE NINTEENTH SITTING OF THE STANDING COMMITTEE ON FINANCE 

( 2010 - 11 ) 

The Committee sat on Wednesday, the 29 th June, 2011 from 1130 hrs to 1400 hrs. • 

PRESENT 

Shri Bbartruhari Mahtab - Acting Chairman 


LOKSABHA 


MEMEER3 


2 Shn C.M. Chang 

3 Shri Bhakta Charan Das 
4. Shri Gurudas Dasgupta 

5 Shri NishiKant Dubey 

6 Shri Mangani Lai Mandal 

7 Shri Magunta Sreenivasulu Reddy 

8 Dr. Kavuru Sambasiva Rao 

9. Shri Sarvey Sathyanarayana 

10. Shri Dharam Singh 


RAJYA SABHA 


1 1 Snri S.S. Ahiuwalia 

12. Shri Raashid AM 

13. Shn Moir.ul Hassan 


SECRETARIAT 


¥ 


1. Shri A. K. Singh 

2. Shri R.K. Jain 

3. Shri T. G. Chandrasekhar 

4. Shri Kulmohan Singh Arora 


Joint Secretary 
Director 

Additional Director 
Under Secretary 



Part I 

<1130 hrs. to 1145 hrs.) 


2. In the absence of the Chairman, the Committee chose Shri Bhartruhari 
Mahtab, M.P. to chair the sitting under Rule 258(3) of the Rules of Procedure. 


3. 

XX 

XX 

XX 


XX 

XX 

XX 


XX. 

XX 
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Part li 

(1145 hrs. to 1215 hrs.) 
WITNESSES 

National Human Richts Commission (NHRC) 

, i >i m mj u ■ >nwn» nn—mwiM ♦ . . .. 

1. Shri Raji\' Sharma - Secretary-General 

2. Shri A.K. Garg - Registrar (Law) 

3/ Shri J.P. Meena - Joint Secre'ary (P&A) 


4. The Committee heard the representatives of the National Human Rights 
Commission on "The National irlenutcation Authority of India Bill, 2010”. The 
major issues discussed during the sitting broadly related to nature, objective 
and beneficiaries of aadhaar number; possible discrimination and specific 
oro'dsions that are reouired to be bunt in; safeguards needed for securing the 
stored information by the proposed National identification Authority of India; 
implications of the provisions of the Bill on the individual’s right to privacy, etc. 
The Chairman directed the representatives of the Naiional Human Rights 
Commission to furnish replies If) the points raised by the Members during the 
discussion within a week. 

W 

The witnesses then withdrew. 


Part III 

(1215 hrs, to 1300 hrs.) 
WITNESSES 

Indian Banks’ As sociation (IBA) 






1. Shri M.D. Mallya - Chairman 

2. Dr. K. Ramakrishnan - Chief Executive 

3. Shri M.R. Umarji - Chief Advisor-Legal 

5. Subsequently, the Committee heard the representatives of the Indian 
Banks’ Association (IBA) on he National Identification Authority of India Bill, 
2010”. The major issues discussed during the sitting broadly related to 
stipulations prescribed by the Ministry of Finance and the Reserve Bank of 
India for using aadhaar numbers for opening bank accounts; new account 
holders added through aadhaar numbers; and utility or aadhaar number in 
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financial inclusion, social sector lending, etc. The Chairman directed the 
representatives of Indian Banks’ Association (IBA) to furnish replies to the 
points raised by the Members during the discussion within a week. 

The witnesses then withdrew. 


Part IV 

(1300 hrs. to 1400 hrs.) 
WITNESS 


Dr. ReetiKa Khera, Visitor, Centre for Development Economics, Delhi School of 
Economics 

6. The Committee then heard Dr. Reetika Khera, on “The National 
Identification Authority of India Bin, 2010". The major issues discussed broadly 
i elated to nature of Aadhaar number; existing ID proof documents and need fcr 
aadhaar number, usage and benefits of aadhaar number particularly in 
Mahatama Gandhi National Rural Employment Guarantee Scheme. Public 
Distribution System, implications of the UID programme; relevance pf Report of 
London School of Economics on UK’s Identity Act 2006 in the context of 
aadhaar number etc. The Chairman directed the expert to furnish replies to the 
points raised by the Members during the discussion within a week. 



A verbatim record of the proceedings was kept. 
The witness then withdrew 

The Committee then adjourned at 14C0 nours. 
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MINUTES OF THE TWENTY-SECOND SITTING OF THE STANDING COMMITTEE ON FINANCE (2010-11) 

The Committee sat on Friday, the 29 lh July, 2011 from 11OC hrs to 17 ■ 5 hrs. 


PRESENT 

Shrl Yashwarri Si nhs Chairman 

MEMBERS 

LOK SABHA 

2. Dr. Baliram (Lalganj) 

3. ShriCM Chang 

4. Shn Gurudas Ds sgupta 

5. Shri Nishikant Djbey 

6. Shri Eihartruhari Mahtab 

7. Shri Mangani La! Mandal 

8. Dr. Kavuru Sambasiva Rao 

9. Shri Manicka Tagore 

RAJYA SABHA 

—I *1 I I' 

10. Shri S.S. Ahluwalia 

11. Shri Raashid Alvi 

12. Shri Moinul Hassan 

13. Shri Satish Chandra Mir ra 

14. Shri Mahendra Mohan 

15. Dr. Mahendra Prasad 

16. Dr. K.V.P. Famachandr i Rao 


SECRETARIAT 

1. Shri A. K. Singh - Joint Secretary 

2. Shri R.K. Jain - Director 

3. Shri Ramkurnai Suryanarayanan - Deputy Secretary 

4. Shri Kulmohan Singh Arora - Under Sec etary 


2. XX 

XX 


3. XX 

XX 


Part I 

(1100 hrs. to 1130 hrs.) 


XX XX XX 

XX XX XX. 

Part II 

(1130 hrs. to 1300 hrs.) 
WITNESSES 

XX XX XX. 

XX XX XX. 
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The witnesses then withdrew. 
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Part ill 

(1400 hrs. to 1715 hrs.) 

WITNESSES 

Confederation of Indian Industry (Cll) 

1. Mr Arun Duggai 

Vice Chairman, International Asset Reconstruction Company (IARC) 
and Chairman Shriram Capital Limited 

2 Mr Chirag Jain, 

Chief Operating Officer 
Canada HSBC Oriental Bank of Commerce Life Insurance Company Limited 

3 Mr Ravi Gandhi, 

VP, Corporate Regulatory Affairs 
Bharti Airtei 

4 Mr Rameash Kailasam, 

Program Director 

IBM India Pvt. Limited 

4. The Committee heard the representatives of Confederation of mdian 

industry (CM) in connection with examination of ‘‘•he National Identification 

* 

Authority of India Bill, 2010’. The major issues discussed included, existing ID 
proof documents and the rationale and necessity of aadhaar number, usage, 
benefits and objects of aadhaar number; role of aadhaar number in planning 
and formulation of social policies; collection of biometric and demographic 
information; measures for enrolment of certain categories like persons with 
disability: exploration of alternate and economical identity system; opening up 
of Registrars and enrolment agencies to private sector; technological issues 
involved in the UID project; financial implications of the UID project; impact of 
the provisions of the Bill on the individual’s right to privacy; potential of possible 
use of aadhaar numbers by illegal residents; lessons learnt from global 
practice and failures experienced in different countries in establishment of 
identity system similar to aadhaar number especially relevance of report of 
London School of Economics on UK Identity Act, 2006; legality of 
implementation of the UID project before the law is enacted by the Parliament; 
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making the penai provsions of the Bill in line with IT Act, 2000 etc. The 
Chairman directed the representatives of Confederation of ndian Industry (CM) 
to give suggestions dause-by-cbiuse along-with the replies to the points raised 
by the Members within ten days. 


The; witnesses then withdrew. 


Experts 


WITNESSES 


1. Hr Usha Ramanathan, 

Independent i .aw Reseai i.her on the jurisprudence on Law, 
Poverty and Rights, New Delhi 

2. Or. R. Ramakumar, 

Associate Professor, 

Tata Institute of Social Saoncas, Mumbai 

3. Shri Gooal Krishna, 

Member, Citizen Forum for Civil Liberties, New Delhi 


5. The Committee then heard the experts on ’The National Identification 
Authority of India Bill, 2C10". The major issues discussed broadly related to 
beneficiaries of aacihaar numb a; including the eligibility of children; feasibility 
study cn the DID pioject; costs and benefits analysis of the UID project; global 
experience in creation of a national data base of its citizens with biometrics; 
convergence of data, its usage and its consequences; functioning o' the UIDAI 
under Executive ordei and implementation of the UID project before an 
enactment of law; impact of the provisions of the Bill cn civi 1 rights and liberties; 
implications of the provisions of the Rill on P.TI Act, 2005; responsibilities of 
’Introducer’ and liability of the UIDAI; outsourcing of works by the UIDAI and its 
responsibilities; alternate system of identification etc. The Chairman directed 
the experts to furnish replies lo the points raised by the Members during the 
discussion within ten ta fifteen days. 


A veroatim record of the proceedings was kept. 

The witnesses then withdrew 

* 

The Committee then adjourned 
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Minutes of the Sixth sitting of the Standing Committee on Finance (2011-12) 
The Committee sat on Thursday, the 08 th December, 2011 from 1500 hrs. to 1615 hrs. 

PRESENT 

Shri Yashwant Sinha - Chairman 

MEMBERS 

LOK SABHA 

2. Shri Shivkumar Udasi Chanabasappa 
3 Shri Harishchandra Deoram Chavan 

4. Shn BfiaKta Charan Das 

5 Shri Nishikant Dubey 

6. Shri Chandrakant Khaire 

7. Shn Ehartruhari Mahtab 

8. Shri Prem Das Rai 

9. Or. Kavura Sambasiva Rao 

10. Shri Rayapati S. Rao 

11. Shri Magunta Sreenivasuiu Reddy 

12 Shri C M. Siddeswa r a 

13. Shri Yashvir Singh 

14. Shri R. Thamaraiseivan 

15. Dr. M. Thambidurai 

RA-JYA SABHA 

16. Shri S.S. Ahiuwalia 

17. Shri Raashid Alvi 

18. Shri Vijay Jawaharlal Darda 

19. Shri Moinul Hassan 

20. Shri Satish Chandra Misra 

21. Shri Mahendra Mohan 

22. Dr. Mahendra Prasad 

23. Dr. K.V.P. Ramachandra Rao 

24. Shri Yogendra P. Trivedi 

SECRETARIAT 

1. Shri A. K. Singh 

2. Shri R.K. .lain 

3. Shri Ramkumar Sucyanarayanan 


Joint Secretary 
Director 

Deputy Secretary 
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2. The Committee took uo the following draft Repo Is for consideration and 
adoption > 

(i) The Insurarce Laws (Amendment) Bill, 2008; 

(ii) The National Identification Authority of India Bill, 2010, and 

(iii) The Banking Lav/s (Amendment) Bill, 2011. 

3 The Committee adopted the above draff re oorts with some minor 
modifications/changes as suggested by Membets. The Committee authorised the 
Chairman to finalise C.e Reports in the light of the modifications suggested and 

present these Reports Parlianent. 




The Copmitfee 'hen adjourned 
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Bathinda UID agency may have violated norms in 

sensitive data collection 

N& vicevan Gapal : Bathinda, Fri Jun 24 2011, 03:29 hrs 



Related Ait ides 

S ^ V H W . _ 4 , 

MMKUa lifirpd Li? aCQUiru A; alfJLpiyL SS'&U0£idrtmX4iLiVI ridsfl 
i K?t* 3fei i imm. ,> si jo 111 ptflbc,amcb toi 

MtHl VsiiUUaO&plut rlvULbe bv ; nnn'hs 

P.jikiaaslu. J\u dephanu. dut]UucAij>.i lnJfctauU 

Firm dentes itHxtngdomg. authority says need to examine .uliether violations have taken place 

An empanelled emoiment agency of Unique Iuentihcation Authonty of India may have violated the no mis laid down by the 
authotity and given collection o f sensitive data tiom lesiuents ot Bathmda dist.iet to othei turns 


>ouneb alleged Alaukil Fin^ec Ltd, which „ the empanelled agenc> toi the demography and biomet. ic data collect ion foi the 12- 
digit unique numbet Audhaei, had given the work lo: Bathinda di^ti*ct to a peiscu named Nitm Singla, win in tirni sub- 
conl 1 acted it to some othei local {iconic 


As peirthe contract ‘between Punjab Food and Civil Supplies Department, the tegistra* in the contract, and Alankit Finsec Ltd. the 
ag-rey was to be paid i'o 30 pei enrolment but sources alleged Alankit had outsouiced u tt> Single for Ri. iq, who fuithei sub- 
oontiacted it forcheapei lates to utheis 


Bui kingla denied the allegation„ and claimed he worked as a aica manager with Alankit Finsec Ltd. “I am an employee of Alankit 
Fmsec Ltd and no work has been outsourced by the agency nor it has been outsouiced to me by the agency," Singla claimed. 

UIDAI pays Its 50 to state government toi every enrolment and leaves it to the state to decide on selecting the enrolment agenev 

UIDAI Deputy Director Genet al (Establishment) D Kumat maintained that as per the uorms no outsourcing can be allowed. “But 
vheihei any violation has taken place is to be first seen bj the registrar (Punjab Foot! and Civil Supplies Department) and by our 
oHkc in Chandigarh, M he said. 

Ptiiijao Food and Civil Supplies Cirectot Aik Nanda Dyal said she would examine tlie mattci “I would go through the guidelines 
and e\ammc die matter, “ she ^aid 


UIDAI Assistant Director Ocnera I in Chandigarh, Cham Bali, said, "I am not sure whether it is a violation or not. It is a policy 
mat let and officials from head office can bettei speak on this It is, howevei, not piactically possible for the enrolment agency to 
lure all the requited manpower oh the company rolls. There me certain liberties to enrolment agencies and to certain extent the 
agencies can outsource maupowei " 

Ho'vevei, the guidelines for selecting t he enrolment agency *11 the Request for Quotation (RFQ) m the official website of UIDaI 
categorically states: “The suppliei (road enrolment agency) shall not be permitted lo sub-contract any part of its obligations, 
duties, or lesponsibilities under the contract." 


in Bckhra village, uiie Kunai Shamu, who claims to be a partner with Soltel Systems, caid they had been given the work to collect 

the data by Nitiu Singla. 

♦ 

“Wc have been provided the equipment and are being paid Rs 9 per card for collecting the details,** Shamu told The Indian 
Express 

But Singla refuted Sharma's claims and said he was also rn employee of Alankit. “Only he (Kunai Sharma) knows why he said so 
(that work was outsourced to Sottel Systems for Its 9 pei caul)," he said. 


Alankit, on its part, has claimed that theie was uothing wrong in outsouicing work “We are operating in 10 states of India. We 
cannot hue operatois and manpower foi the company in the each and every part. There is no bar in outsourcing the job to arrange 
the tuanjxnver for us. The equipments for eanying the job have been provided by us Moteovei, the salarief to the manpower are 
being paid by us," Viney Chawla, company secretary of Alankit, said. 

On whethei the agency complied with guidelines related to labour laws, provident fond and minimum wages while utilising the 
*»i \ ices of such manpowet, Chavda said, "It is the rosponsibility of the manpower provider." 


Probe in Muktsar 

Sources said following a complaint that "behaviour of operators was not rosident friendly", the UIDAI has initiated a probe in 
MiiUsar district. Sources alleged that the enrolment agency, which is collecting the demographic and biometiic data of residents 
in Muktsar, is also an Alaukit group company “Yes, theie is a complaint that residents aie not able to talk ^ officials of enrolment 
agenev in Muktsai and aie not being guided properly. We are looking into the complaint, Bali said 
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“Biometric matching is not a perfect 
process. There is an element of 
judgment, and there will always be 
the result: This fingerprint is pretty 
close to three other fingerprints’, 
which you then need to check 
manually and figure out.” 

DR EDGAR WHITLEY is Reader in Informa- 
lion Systems at the Information Systems and In¬ 
novation Group in the i-ondon School of Economics 
and Political Science. He has a PhD in Information 
Systems from the USE His research and practical 
interests include global outsourcing*, social aspects of 
IT-based change, collaborative innovation in an out¬ 
sourcing context, and the business implications of 
cloud computing. He is also an expeil in identity, 
privacy and security issues relating to information- 
ai>d Net-based technologies. 

Whitley was the research coordinator of the LSE 
Identity Pi eject and represented the project at the 
Science and Technology Select Committee review of 
the scheme. He has written extensively about the 
United Kingdom's identity cards programme fbi 
bod) academic and trade audiences and is a frequent 
media commentator on the scheme. His recent pub¬ 
lications include work on the technological and po¬ 
litical aspects of the programme. In 2009, he 
co-authored with Gus Hosein a book titled Global 
Challenges for Identity Policies (Palgrave Macmil¬ 
lan, Basingstoke, U.IC). He spoke to Frontline at his 
USE office ou October IS. 

Thank you Edgar for agreeing to do this interview. 

You would have guessed that the decision to do this 
interview is inspired by certain recent events in 
India, where an identity project largely similar to 
the project in the United Kingdom is being 
implemented. In your view, what were the major 



EttiGAft WKHTLSV: "YMEftE was the question of 
the schemes legality." 


reasons behind the U.K. government's decision in 
2004 to bring in an Identity card project? Was there 
only an ‘internal security” dimension to it? Or were 
there other dimensions, too, such as 
“developmental”? 

In many ways, this is a really great question to 
begin the interview, because it is kind of a puzzle that 
we have never been able to find a satisfactory answer 
to oiu selves. The idea of having* identity cards has 
been one that almost eveiy Home Secretary had at 
least thought about and had some consultations with 
civil servants at some stage, before they backed out. 
So, in the UX, in 2002, there was a discussion about 
“entitlement cards” that slowly gave way to “identity 
cards”. I think the idea that there was a single policy 
reason or a few policy reasons behind the identity 
card project would not fit the facts well. If you take 
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entitlements to access public services, 
then a tew features of the project could 
be thought of as leading us to such r, 
view. If you take national security, 
then, certain otter features ot die nro- 
jeci could te tnougiuof as leading us to 
such a view, fa addition, there was a 
real space where l could have jokingly 
said about the reasons behind die pro¬ 
ject as. ‘’Oh, it is Tuesday texlay, so for 
today *X‘ might be the reason behind 
the protect.*' This was partly the way 
the description, discussion and argu¬ 
ments for die project evolved uvei 
time, both naturally as a policy devel¬ 
opment and in response to die chal¬ 
lenges and questions lh«u the project 
faced at each point of time. 

So, by about 200y», wneu the pop¬ 
ularity of die project was filtering bad- 
!s, to put it mildly, emphasis suddenly 
moved to enabling young oeople, wlio 
did not necessarily have a detailed 
credit history or biographical foot¬ 
prints, to be able to prove wlio they are 
for frequent transactions, such as 
opening a bank account or registering 
for a mobile phone numter, and so on. 
lliis particular strategy was a response 
to die fact that odier claims were not 
proving to be successful, as they had 
initially hoped Another argument was 
that this scheme would help to build 
confidence in people working in air¬ 
ports, which was a typical ‘‘national 
security* reason. But die airport 
unions fought back against it and they 
had to limit it to two small trial pro¬ 
jects in two small airports. During oth¬ 
er times, some of the arguments put 
forward were responses to policy de¬ 
sign decisions. So, sometimes they 
thought it maybe better to emphasise 
tlte idea that the ID card can be used to 
travel freely across Europe without 
carrying passports. 

So, the claims and responses kept 
changing. That is why 1 said it was a 
great question to begin this conversa¬ 
tion. If die idea of having a centralised 
database was to address questions of 
identity fraud, so that people would 
not have more than one identity caid, 
then there were othei ways hi which 
you could do that without resort to 
such centralisation of personal infor¬ 



mation. So, I suspect there was abroad 
kind of direction; when some aspects 
of the project appeared 10 be faltering 
in popularity, othe* claim:* weie made, 
and this process continued as the pro¬ 
ject evolved. 


(KSCRIHINATJON CONCERNS 

Was the "entitlement card**, linked to 
the ID card project, linked to reforms 
in the National Health Services (NHS), 
that is, to reduce leakages? 

It was essentially about concerns 
about people who were not entitled to 
public-funded services like the NHS 
having access to them. So, if students 
were entitled to the NHS during the 
period of their study, and they didn’t 
return to their home country, maybe 
you could argue that fraud could be 
reduced if you insist that the ID card 
should be produced at the NHS cen¬ 
tres. But there are practical problems 
that emeige from this policy. The 
counter argument was that this makes 
the doctoi a receptionist, equates him 
to a border Official, having to do duties 
way beyond what he was reasonably 
expected to do. Further, this also re¬ 
writes what citizenship or entitlement 
actually means. 

There is also a very practical risk of 
discrimination. If a surgeon is doing 
this checking* for entitlement, and I, as 
a white middle-class male, come along 
and say, “1 am sorry, I don't have my 
card with me, bull would like to book a 
doctoi *s appointment", will I be treat¬ 
ed in the same way as a U.IC. national 
whose skin colour is not white and first 


language is not English? The latter 
might be checked more despite the fact 
that their entitlement is exactly the 
same as mine, and there are conse¬ 
quents l concerns of discrimination 
that aie very serious. 

What were the major arguments in 
the LSE report? 

We had argued that the ID ciu-d 
system could offer some basic public 
interest and commercial sector bene¬ 
fits. But we also identified six key areas 
of concern with the government’s 
plans. First, evidence from other na¬ 
tional identity systems showed that 
such schemes performed best when es¬ 
tablished for clear and focussed pur¬ 
poses. The U.K. scheme had multiple, 
rather general, rationales, suggesting 
that it had been ‘gold-plated* to justify 
the high-tech scheme. 

Secondly, there was concern over 
whether the technology would work. 
No scheme on this scale had teen un¬ 
dertaken anywhere in the woild. The 
India project is. of course, even bigger. 
Smaller and less ambitious schemes 
hacl encountered substantial techno¬ 
logical and operational problems, 
which may get amplified in a large- 
scale national system. The use of bio¬ 
metrics created particular concerns, 
because this technology had nevei 
been used on such a scale. 

Thirdly, there was the question of 
the scheme’s legality. A number of ele¬ 
ments of the scheme potentially com¬ 
promised Article fl (privacy) and 
Article 14* (discrimination) of the Eu¬ 
ropean Convention on Human Rights. 
The government was also in broach of 
law by requiring fingerprints as a pre¬ 
requisite for receipt of a passport. 
There was a lot of talk from the propo¬ 
nents about international obligations. 
However, the report found no case as 
to why the ID card requirements 
should be bound to passport 
documents. 

Fourthly, we felt that the National 
Data Register was likely to create a 
very Urge data pool in one place that 
could be niv enhanced security risk in 
case of unauthorised accesses, hacking 
or malfunctions. 
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Fifthly, according to us, an identity 
system that is well accepted by citizens 
ii> likely to be tar more successful in use 
than one that is controversial or raises 
privacy concerns. This was important 
m oi der to realise the publit value that 
citizens would want io carry their ID 
card:: nidi them and to use them m a 
wide range of settings. 

Anally, the cost p«u' . Compliance 
vith the ID raids Bill would have 
meant that even small firms wcvld 
have had to pay £250 for sm a it card 
readers and other requirements, 
which would have added to the admin¬ 
istrative burdens that firms faced. 

You haze argued in die report that the 
“scheme should be regarded as a 
potential danger to the public interest 
and to Hie legal rights of individuals”. 
Was privacy the legal light you wera 
referring *o? 

Yes, privacy in terms of the diua 
controlled by die government. There 
was a separate concern about rite audit 
trail. Sc, when you entered into a 
transaction where you had to produce 
your ID eaixi, die des’gn ot the system 
was such that a reeoid would be kepi of 
cvety such verification. Good idea, be¬ 
cause k allows you to check foi forgery 
in transactions. However, tne negative 
version of that is it provides a detailed 
record of every transaction you have 
done, which can be of interest to either 
people browsing die database or to se¬ 
curity services or whoever. The record 
here wouldn't be just that your identity 
was verified; theie would be a little 
more data associated with the trans¬ 
action. For example, you went to 
Health Clinic Number 4*5. They used 
your card and your fingerprint there 
for verification. They did diis at 12:37 
ltours. There is a series of metadata 
associated with that visit that would be 
there in the audit trail. And, of course, 
it wouldn’t lake very long to realise 
that, actually, Health ainic Number 
4*5 is a sexual health clinic. If the audit 
trail also shows that you were there on 
a number of occasions, il might be rea¬ 
sonable to infer certain kinds of things 
that you perhaps do not want to dis¬ 
close. Some things arc not necessary to 
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be disclosed, but which are being le- 
covded and stored Ir. an accessible way 
to various people because of the way 
the system is designed. 

A second concern was with the way 
biometiics was being used. Although 
fingerprints and iris scans are useful 
ways of linking a person to their bio¬ 
metric, one problem if you take 
straightforward images is that they 
aren't revocable. So, if you have a pass¬ 
word for your e-mail account, and you 
realise that someone has broken into 
youi e-mail account, you can always 
reset your password. If the biometiic is 
stolen, die possibility of revolting it he¬ 
roines almost impossible. It’s gone. 

“Death of privacy ’ is what some a< gue 
in the wake of the massive 
technological advances that we have 
had. Your comments. 

That is just one way ol looking at 
the technological advances. To my 
mind, il is an overly deterministic 
proposition. What you are doing here 
is not allowing for user choice of de¬ 
signs and not allowing for innovative 
alternative designs. It’s a too straight¬ 
forward view. Clearly, there are priva¬ 
cy concerns that are more difficult to 
address with the new technologies. 
The fact that when you visit a web 
page, they know where you came from, 
what your browser configuration is, 
what plug-ins you have, what screen 
resolution, and so on. Yo,. could be 
pretty uniquely identified just from the 
browser. But there are things that you 
can do You can do private browsing, 
you can have do-not-track options, you 
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can delete your cookies and if you are 
really sophisticated, you could also do 
things like onion routing. There are 
also opportunities for companies to 
declare themselves as privacy-friendly, 
and they could be good competitor s to 
other companies that are not so priva¬ 
cy-friendly. So, the idea of u death of 
privacy" is too simplistic a view. 

Theie are always alternatives; 
there are always different ways in 
which a society can respond to these 
kinds of concerns and issues. There are 
always possibilities to have privacy-en¬ 
hancing means of identification For 
instance, you could have an ID card 
with a chip, which has your finger¬ 
print, o. a part of it, stored us a tem¬ 
plate. U is not stored in any central 
database, but it is in the chip of your 
card and your card is with you. 

So, when you have to prove that 
you are you, you could just swipe tire 
card and tfive your fingerprint, after 
which you could be identified as the 
bearer of that curd. No one gets your 
information stored in that card. That’s 
a privacy-friendly way of identifica¬ 
tion. 

The fim generation technology 
here are chip cards, the second gener¬ 
ation technology is stickers on your 
mobile phones and the third gener¬ 
ation technology is a chip inside yo.u* 
mobile phone. The chip may have your 
name, your database, your fingerprint 
template and a little bit more data on 
who issued it and all that. But nothing 
about where you have been, no audit 
trails, no records and thus, 
privacy-enhancing. 

Are there countries that have tried 
these methods? 

This has not yet become the obvi¬ 
ous way to do it because it takes a while 
to get your nead around. The point 
here is that you need to understand 
what it is that you want. Technically, 
you only want proof that the person is 
himself.and a little bit more. 

BIOMETRIC MATCHING 

You were very critical of the 
technology of biometrics being used 
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in the project. Yen argued that 'the 
technology envisioned for this scheme 
is, to a large extent, untested and 
unreliable". Was this assessment 
based on technical inputs from 
biometric experts? Could you 
elaborate on the comments from 
biometric experts? 

We used some feedback from bio¬ 
metric expert?, but we also independ¬ 
ently looked At already pubbshed 
reseai-ch work on biometries. Certain¬ 
ly, in terms of’ the urtestedness, the 
scales of studies dial had been done for 
both fingerprints and iris scans were 
fairly limited. 

There were Ur better performance 
results on A 1:1 match. So, this is Ed¬ 
gar’s fingerprint on the database, here 
is Edgar, we do 1:1 match; Lius is more 
likely to work. But that wa-* not liow 
the U.IC was planning to use it. The 
U.K. v'as tlying to use biometrics to 
also prevent duplicate identities. The 
idea was that even if I tiy to enrol 
twice, and even if 1 had cieated a fake 
biograpnic identity (say. a John Smith 
with a different address), when my fin¬ 
gerprint came in for a second time, the 
system should come along and say: 
“We know this fingetprint, and this 
belongs tc Edgar Whitley “and not say, 
John Smith. Here you have c o match 
every single bionieti ic with every sin¬ 
gle pievious biometric. 

Biometric matching is not a perfect 
process. There is an element of judg¬ 
ment, and there will always he the re¬ 
sult: “This fingerprint is pretty dose to 
three other fingerprints”, which you 
then need lo check manually and fig¬ 
ure out. But this increases the cost, let 
atone concerns about reliabUity. 

Now, tliere is always apossibilityof 
a fraudulent use; dial is, if I am really 
John Smith, l could have applied with 
Edgar Whitley's biographical details. 
That's possible, though difficult. 

So, for instance, victims of domes¬ 
tic abuse could be given a completely 
new identity with a stolen set of bio¬ 
metrics. 

You also have major issues with 
gender reassignment, which will cre¬ 
ate unnecessary interfetences into 
your private life. 


The U.K. project was to have iris 
scans, but they were dropped later. 
Was there a reason? 

Iris scans were always present in 
the documents tha* were discussed in 
Parliament. The p* oponents of ins 
scans claim that they are far belter 
than fingerprints at differentiating 
people. Thul is because you collect a far 
huger number of data pomts in j'our 
iris scan than in the ringc.print. r lhe 
problem with the iris biometric at that 
time was that the set-up tor the cap¬ 
ture of the iris biometric* had to be well 
managed. 


"You could have 
an ID card with 



If there is a sudden gcod sunshine, 
vei y noticeably the room is brightened 
up. So, yon need to potentially adjust 
your iris-capture device to allow for 
those kinds of set-ups. But we know 
from the experience of airports that 
iris devices oflen have problems in op¬ 
erating at their hill performance level; 
airports aie designed by architects, 
and architects use lots of glass and 
open space, which allow for light to 
come in seamlessly and brighten up 
die space. This creates a lot of prob¬ 
lems for iris recognition systems. 

There is also interesting empirical 
research that shows that as you move 
from one version of the technology to 
newei versions, you get perfoimance 
differences because they capture iris 
images slightly differently. 

So, you don’t get quite the same 
results in matching as you move with 
versions. These weie the reasons why 
the U.K government dropped iris 
scans from the plan in 2000’. 
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What wa*. the nature of the response 
among the British people to the 
Identity project? Were there mass 
protests? Or was it mostly through 
the social media that the protest 
spread? .find, was It due to these 
protests that the project was finally 
shelved In 2010V 

It got scrapped because the parties 
that came to power were opposed to it. 
In piactice, you don't vote on the basis 
ot your view of one single scheme. 
Tliere was a lobby gvoup called 
‘'N02ID", which was veiy effective in 
getting the message out about thei: 
concerns with the whole process. 1 was 
on their mailing list, and eveiy week, 
along with the news items on the 
scheme, there was also information on 
where meetings were to be lield, where 
you could meet MPs And ask questions 
about the scheme, and so on. Scores of 
local octixists got involved in this, 
again from both the Left and the Right. 
This was no civil disobedience move¬ 
ment, but just explaining what these 
proposals were and what they are go¬ 
ing to mean, and trying to convince 
people over what some of the dangers 
were. 

They were also continuously talk¬ 
ing to journalists and explaining what 
this meant in practice, aL levels of de¬ 
tail. They kept telling journalists why 
biometrics could not be the “magic 
bullet". The press coverage was over¬ 
whelmingly comfortable with that 
critical analysis. 

The technology press and its sci¬ 
ence and technology correspondents 
were eager to deal with these ques¬ 
tions. They asked those questions. So, 
there was general awareness building 
in a major way. 

Have you been following the Indian 
debate around unique ID numbers? 

Any views? 

I have been following it one step 
removed. We have been speaking to 
people though, I think in India, too, it 
is important to raise these policy ques¬ 
tions that l icferred to just a while 
back. 

Thank you very much, Edgar. □ 





The UID Project 
and Welfare Schemes 


related to a project such as the uid, bv 

* 

drawing a few parallel; between the now- 
abandoned Umred Kingdom Identity Bill 
and the uid project in India. 
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T he Unique IdciiriJic-uion (u:d) project 
is a flagship project of the United 
Piogressive AJhanre-u (upvu) gov- 


This at tide docunteitts and thqn 
examines the various benefits 
tha:. ic is claimed, will flow from 
linking Lhe Unique Identity 
number with the public 
distribution system and the 
National Rural Employment 
Guarantee Scheme. It filters the 
unfounded claims, which arise 
from a poor understanding oi 
how the pds and nregs function, 
from the genuine ones. On the 
latter, there are several 
demanding conditions that need 
be met in order to reap 
marginal benefits. A hasty linking 
of the pds/kreoa wkh the uid 
can be very disruptive. Therefore, 
other cheaper technological 
innovations currently in use in 
some parts of the country to fix 
existing loopholes in a less 
disruptive manner are explored. 
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emivenr. The Unique Identification Autho¬ 
rity ol India's pjiovi) ambitious plan 
ol issuing a unique biometric-enabled 
number, innocuously called “Aaclhaar” to 
every Indian lesident has also begun 10 
generate a debate oi. cuhen-stace .cla¬ 
rions, privacy, firanciai implications, and 
operational practicalities . 1 

What the debate has largely mused so 
far, however, is the audibility of the uitv.’o 
claims m die field ol social policy, parti¬ 
cularly the National Kural Employment 
Guarantee Act (nrgca) and public distri¬ 
bution system (pds) A number of claims 
(“the project oossesses the power to elimi¬ 
nate financial exclusion, enhance acces¬ 
sibility, and uplift living standards foi 
the majority poor') have been made by the 
inoAi, but have not been carefully analysed. 

In this article, 1 filter the unfounded 
claims lioin the v alid ones The mislead¬ 
ing claims with lespect to the nrcga and 
pds seem to be the result of superficial 
research into what ails these two pro¬ 
grammes. Even with respect to the valid 
claims, such as helping with de-duplica¬ 
tion of pds raids, theie aie caveats which 
have not been adequately discussed so far. 

Thus in Sections i and 2 , the focus is cn 
what the uid can and cannot do for the 
nrega and pus. In the next section, the 
possible fallout of a hasty imposition of 
uid on the nkcca/pds is examined briefly 
I also examine the scenario in which the 
existence of the ‘soft infrastructuie" that 
the uidai aims to picvide is important - 
namely, a tiansinon from nrcga and pds 
to cash traaiters The government needs 
to initiate an open discussion on cash 
transfers (.if they are on the cards) rathei 
than attempting to make a surreptitious 
transition to them In die final section, l 
highlight some of the larger concerns 


Before proceeding, it is worth recalling 
diat being enrolled in the Andh-iar data¬ 
base and being given a number in itself 
carries no welfare benefits. Havingfan 
Aadlnntr number does not eliminate the 
need to apply for a bank account, or a ra¬ 
tion card or a job carJ (required to be eli¬ 
gible for woik under nrfga). It can unlv 

m 

serve as a valid fo»m of Identity in the 
iame way that a driver’s licence or pass¬ 
port currently do 

1 NREGA: Barking Up 
the Wrong Tree 2 

The uidai has a four-page document on 
nrcga. From this document, it is dear 
that its officials ^fe poorly informed on 
issues relating to nrcga. Resulting from 
its poor understanding of the programme 
are several claims of improving efficiency 
in government spending. I discuss a few of 
these claims below: controlling corrup¬ 
tion in nrcga, eliminating financial ex¬ 
clusion, preventing exclusion from gov¬ 
ernment progiammes due to the lack of 
identity proof, and so on. 

One good example of the uidai being 
poorly informed is us statement regaraing 
nrega wage payments (Government of 
India 2010 a * 2 ). The uidai claims that the 
uid will enable financial inclusion, but it 
seems to be unaware cl lat wage payments 
Through banks and pose offices became 
mandatory in 2008 . The transition to 
bank payments is now largely complete. A 
large majority of nrega workers already 
have a bank (or posr office) account: more 
than nine crore nrega accounts (covering 
83 % of nrega job cards) were opened by 
the end of 2009 - 10 . This is not to say that 
the opening of bank accounts was a 
smooth process. The main hurdle was not 
so much the Know Your Customer (xvc) 
norms (as claimed by the uidai) but that 
the coverage of banks and post offices in 
rural areas is inadequate, the ones that ex¬ 
ist aie under-scaffed, and post offices in 
many parts do not maintain computerised 
lecordsA Tamil Nadu is the only state that 
still makes cash payments, on the grounds 
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that it is able to control leakages within 
the cash system and that cash payment! 
help to ensure timely disbursal of wages 
Field evidence suggests that there is some 
truth in this claim of the Tamil Nadu gov 
ernment (Khera and Muthiah 1010). 

The claim of controlling corruption 
through the uid is made on the premis! that 
payments an* still being made in carh. hi 
the days of cash payments of nrega u ape* , 
the main source of embesdemern was b / 
fudging attendance records - by ekhei adc • 
ing names of people who had not workec, 
or inflating the attendance of those wh ) 
hnd worked Payment of wages throug i 
banks and post office has made wag; 
corruption quite difficult Howe/er, tnree 
potential channels for siphoning off money 
remain open - extortion, collusion ani 
deception 4 Extortion means that when 
"inflated" wages are withdrawn by the 
labourer, the middleman turns extoci ioni >t 
and takes bis share from him o 1 h<*\ 
Collusion means that the labourer and tbe 
middleman agree to share the inflated 
wages that are credited to the labourer’s 
account. Deception means that middle¬ 
men open and operate accounts on behalf 
of labourers, withdraw die inflated wages 
from these bank accounts, pay workers the ir 
due in cash, and pocket the differcnc!. 
Biometric-enabled uid to authentica e 
identity car help to prevent “deception", 
b f, t is of little use in preventing colhisic n 
or extortion. 

Facilitating "doorstqi banking” throuf h 
banking correspondents (the "bc model') 
is supposed to be another benefit of the 
uid. At the moment, labourers often ha’ p e 
to go long distances to withdraw their 
wages. Banking correspondents (interm: 
d.aries who extend banking services to 
remote villages) are supposed to enable 
disbursal of wages at their doorstep. He -e 
again, however, there are issues of praci- 
cality and effectiveness, and we need to 
consider alternatives. Modernising and 
computerising post offices would also con¬ 
tribute to making banking services acct s- 
sible. As a long-term measure, the govern¬ 
ment should consider an expansion of t te 
rural banking network. Appointment of 
local kirnna stores as banking correspond¬ 
ents could bc a regressive step, as it would 
mean routing nrega wages through t \e 
local barua (often a moneylender also). 
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The bc .nodel could end up diluting the 
sanctity of existing banking practices 
At the end of the day, it is not clear from 
the uidai documents exactly how uid 
suppose I to help nrega. There is no obvi¬ 
ous problem of "identity fraud” in nrega 
that uid is waiting to resolve There is no 
evidenc'*. foi instance, of fake job cards 
being a i iaior p*oblem An nrega job can! 
is not !i <c a tds ration card, which auto 
maiicaUv emitles the holder to subsid,sed 
grain. To get benefits under ihe nrega, 
t^-e Job c upholder is squired to work - so 
a fake r > card is orhttle use perse Claim¬ 
ing benefits without working requres 
eollusio * oe'vveen non-working job card¬ 
holder; nnd implementing officials. If the 
two panics collude, some job cardholders 
can h?we wages a edited to their bank 
account:., by getting on muster rolls, uid 
purport:, to prevent this through "biomet¬ 
ric attendance at the worksite”, but the 
practicality Df this imaginative idea is far 
from char - it could easily create rroie 
problems than it resolves. And some forms 
of coll j' ion can persist even with biomet- 
i ic attendance at the worksite 
For t* ic nkcca, the uid, if it works, will 
help to plug sonic minor loopholes. This 
does nut justify the sweeping claims 
that an: made In Section 3,1 discuss the 
disruption that it can cause, if the uid and 
nrega tire linked. 

X PDS Is Thc^c a Case for the UID? 

X.l Improving Inclusion 

Similar claims arc made with respect to 
the po!.. For instance, the uidai often 
claims .hat chc project will improve access 
to government sendees, uidai officials 
have S3 id that many Indians are deprived 
of government benefits because they do 
not hat c the required identity proof.' This 
claim is based on an incorrect diagnosis of 
why prople arc excluded from govern¬ 
ment schemes. 

Thci 1 arc two important causes for the 
exclusion of a large number of people 

from .rovernmrnt programmes - one, 

* 

poor coverage related to low allocations 
for thc-c programmes and two, nusclassi- 
ficatioti of people. Social welfare expendi¬ 
ture in the country is not adequate to pro¬ 
vide universal benefits (Gupta 2010). In 
such a situation, the government has 
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rcr orted to making many social welfare 
schemes targeted programmes. When 
schemes are targeted, benefits a r e condi¬ 
tional upon being classified, say, as a be¬ 
low poverty line (bpl) family The selec- 
ticn of bpl families is based on a census 
which is conceptually flawed and poorly 
implemented (Mirway 2003, Swaminath- 
3n and Mishra 2001, Khera 2008, Dy£zq 
ard Khera 2010a). 

.Vote that mlsclassification of families 
in the "bpl census" has little to do with 
identity fraud or “duplication". Misclassifi- 
caiion can occur when the criteria used 
fo~ identification of bpl families are incot- 
re .:t (e g, in a previous dpi census, the 
ownership of a fan led to exclusion of fam 
iliis from the bpl list) or when govern 
nvint criteria are not adhered to (c g, fami- 
ii<* misrepoit their staros, or the surveyo * 
records incorrectly). 

Yet the uidai gives the impression that 
ir ^classification of households can bc 
cc ntrolled (if not stopped) with the help of 
unique identity numbers. "The eventual 
nature of an Aadhaar-Iinked approach in 
pds would depend on the particular bene¬ 
fit s the government hopes to gain. Using 
A idhaar solely for identification would 
£i table clear targeting of pds bcncficiancs, 
the inclusion of marginal groups, and ex- 
p inded coverage of the poor through the 
c imination of fakes and duplicates" (Gov- 
e nment of India 2010b. 3, italics added). 

2.2 Portability of Benefits 

The uidai also makes a claim of "portability 
o r benefits”, i e, that with a uid, benefici¬ 
aries can claim their benefits wherever 
tl tey are. A pds that allows beneficiaries to 
draw their rations from anywhere in the 
c >untry would indeed be a desirable im¬ 
provement over the present system. The 
portability argument is perhaps the most 
enticing aspect of the uid programme 
F owever, this too is not very well thought 
t irough. Though the uid is portable, 
benefits may not be, because the latter 
p resent operational issues that cannot be 
s }!ved by the uid. The possibility of making 
t le current form of identity authentication 
(. e, the ration card) “mobile" has not been 
explored. A computerised database of 
cardholders, with holograms and/01 bar¬ 
codes on ration cards, could also make 
rnion cards mobile. Smart cards or food 
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coupon; can also serve the purpose of 
providing a portable identity, which can 
Iv easih* auchemicaced anywhere. 

Reuu ring to opeiadonal issues related 
i«*poH.'tbjlitv, i* benefits are portable and 
grain allegations to pos outlets arc based 
t*n die previous month’s sales (.as recom¬ 
mended r»v the utdai), matching supplies 
to unjxedtetabte demand becomes Uif* 
R-uh • : ) h state ^ets a t*xcd quanta} of 
foodgrain*. based on rhe number or ration 
t aids irom the cent* ai government. 
Stream I nung supply to tracer to a pos tnat 
nUov/b j *< >riabil icy of bei>efits is not j sim¬ 
ple niattei Building in portability across 
iidies u especially challenging (think of 
interstate migration ) 7 

^.3 Bogus Gards and 
‘De-duplication 3 

Anothei milated claim relates to die elim¬ 
ination of“bogus" cards in the pds. There 

V 

can be three types of bogus cards: 
u) ‘ghost" cards, i c, where cards exisf in 
(he names of non-existent ot deceased 
persons, fb) “duplicates’' where one peoson 
u household, entitled to one card, man¬ 
ages to yet more through unfair means; 
and (c) ‘mi sdarsified” cards, wheni/iWtgi- 
M<? pm son s/house holds claim benefits lor, 
inclusion cirors) 

Tlie main fallout of ‘’bogus” cards 
wheie schemes are targeted (such as die 
pds) is char tt denies a genuine beneficiary 
his/itei cmitlcments. Elimination of ix'gus 
turds can contribute to improving the 
efficiency of government schemes The 
uro can help eliminate only die first two 
types of bogus caids. As discussed earlier, 
i no can do nothing about inclusion errors. 

The question then arises, what ptopor- 
tion ot all cards is bogus? 8 Reliable data on 
the ovei all proportion of bogus cards are 
I laid to lind. Vet die uioai claims that 
glwsc i at ion cards are the main problem: 

*u key source of leakage identified in The 
pds is ..ubsidised food drawn from the 
moon si up in the names of eligible families 
by someone else" (Government of India 
joiob yi Rough estimates based on 
newspap'-j repotcs (admittedly not the 
mosi ichaise source for such data) put the 
proportion of fake caids in the 2-13% range 
(Clan, -ioio, ians 2010 and Radhakrishnan 
.roio) In lamil Nadu, only 2% of cards 
were bogus (Planning Commission 2004). 


Bogus cards are indeed pai r of the problem, 
bur there is not enough evidence to say 
that this is the main source of diversion 
liom the pds. This a one source of con up¬ 
turn, though quite likely it is not the larg¬ 
est source of divcision of pds grain today 
(see more on this below) 

Second, elimination of “ghost" and “du¬ 
plicates” by biomeri ic-enabled de-duplica- 
tion requires t'uu the ddhjJt number be 
compulsory (a: icasi for chat parncuLn 
programme). This ir best explained by 
Nandan Nilekam, the dull person of uidaj 
himsell. “You can’t make ir mandatory m 
the first instance Let a say a pautruku 
Stare abides to issue fresh ration caids 
from 1 May 2011. Now, they may deckle to 
have Aadhaai numbers on all these cards. 
Foi some rime, in paiallel there will be die 
earlier cardholder who will nor have 
Aadhaar We can’t completely eliminate 
duplication. But ovci tune, as Aadhaar 
numbers m ration caids become nearly 
urivtisal, the/ca.i then say ‘from now on- 
waids, only Aadhaai-based ictior* ca:ds 
will be accepted’ At which pomt, duplica¬ 
tion will cease to exist” ^Sebastian 2010). 
The lmdai will not make it compulsory to 
get an Aadhaai number. However, that 
does not stop them from encouraging vai- 
ious government departments to make it 
compulsory There is a tension between 
voltmtaiy enrolment and achieving de¬ 
duplication. Some of the implications me 
discussed in Section 3 

In Chhaccisgarh, de-duplication has been 
attempted by computerising the database 
of ration caidholders and distributing new 
ration cards with hologiams which make 
each ration card unique. The other option 
is the use of biometrics (say, at the stage 
of issuing u Lion cards), which the uidai 
proposes to use. Tamil Nadu keeps constant 
vigil on the numbet of ration caids to 
eliminate bogus cards 

2.4 The Last Mile Problem 
A major cause of di\ersion from the pds is 
the lack of afunctional system of “last mile" 
authentication In the cui rent system, the 
movement of foodgrain is tracked till it 
leaves the godown for a ration shop. 9 
Ration dealers maintain a sales register 
and a monthly stock legister, based upon 
which the next month's rations me 
supposed to be released. However, this 


monthly squaring of records is operarional 
only in a handful of states (including 
Chhartisgath, Himachal Pradesh and 
Tamil Nadu). In ocher states, dealers fudge 
information in these legisters. 

This allows dealers to divert grain in 
two ways: first, cheating cardholders by 
undeiselling (e g, he provides only 25 kg 
out of the 35 kg entitlement of a family) 
and yet inaKc them sign foi then full quota. 
When villagers are disempowered and 
forced to buy from die same dealer, with 
f r w options of being heard by higher 
authonties, they teel resigned to accept 
r his sal ruler quantity. Second, illegal sale 
of pds grain in the open market, en route 
to the village ration shop. Dealers then 
appear helpless in the village saying rhat 
they have been given less by the audionties 
(pkhhe se kam aya hai) 

There are several options to fix the “last 
mile” problem. Introducing rood coupons 
for all entitled households is one way of 
dealing with this pioblcm. In tmscoupon 
jy:te*n, each household is requited to de¬ 
posit their coupon at the titne of purchase. 
Dealeis have to deposit diese in order'to 
get more grain released for the next 
month. The release of grain is tied to the 
number of coupons deposited back. Swip¬ 
ing sma.t caids or authenticating biomet¬ 
ric information, at the time of purchase, 
can pe* form the same function. 10 Even 
social audits (e g, reading cur details from 
the daily sales register maintained by the 
union dealer) can be employed to resolye 
last mile issues. Other cost-effective and 
technology savvy solutions have been em¬ 
ployed elsewhere - e g, in Chhatcisgarh 
grain is delivered to the village (in easily 
identifiable yellow trucks), so that a dealer 
cannot pretend that he d .d not get the grain; 
further, when trucks leave the godowns, an 
sms alert is sent to a few persons in the 
village (Dreze and Khera 2010b). The real 
problem, then, is not so much the lack of 
options for last mile authentication. Rather 
it is the lack of political will to crackdown 
on the corrupt. Political will has been lack¬ 
ing because often politicians are part of die 
corrupt nexus. 

Compulsory biometric authentication 
(with or without uid) at the last mile 
would require us to consider cases of old or 
disabled or ill persons, who currently rely 
on neighbours or relative;; to bring home 
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their ration. With biometric authentication 
there may not be -my scope of buying then 
rations ill the proposed new system. Quit* 
likely, the uioais response would be to saj 
that an “over-ride” facility can be built into 
the system for such cases. But is this really 
practical (e g, if a healthy person falls ill, 
how quickly can the system respond Id hi 
need for the override facility) and vili i 
no: again open the door to manipulation 7 
Deforc moving to the next section, note 
that fot de-duplication and last-mile 
authentication, uip is one of at least three 
distinct, options* smart cards, biometric. 
and the uio. The uto needs biometrics, 
not the other way round. The uidai doc; 
not mnke a clear distinction between 
the three, thus suggesting :hat ther ar* 
same. The relative merit* and demerits * 
cost, technological requireinents, possi¬ 
bility of fraud, etc - of each of thes i 
options need serious consideration. Qi*» 
can have biometric authentication with¬ 
out building an integral ed database a> 
proposed by the uidai. The main utility cf 
the integrated database envisaged by th : 
uidai is thar it would obviate the need for 
scheme-by-scheme enrolment which ca i 
be expensive. 11 But how many schemes 
of the Government of India need bic- 
metrics for purposes of de duplicaltoi 
and solving the 'hast mile” problem? I i 
the nrcoa, as explained above, neither 
bogus cards nor last mile authentication 
are major concerns. 

3 Implications for PDS and NFJEGA 
As noted above, de-duplication am be 
achieved only by making enrolment con - 
pulsory (at least for particular schemes'. 
The uidai has set itself a target of co^crin g 
only half or India's population in the not 
four years. The uidai is engaging mary 
registrars to meet its targets. In its iage** 
ness to de-duplicate, there is a danger th«\t 
the uid will be made compulsory in a 
rushed manner. Even with an ambitious 
target, the project will then end up exclud¬ 
ing large sections of India's populatio 1. 

Hasty integration of uid with the i*ds or 
nr eg a could, in practice, go against the 
rhetoric on "indusivity'. In fact, i "re¬ 
engineering” of the nrega is current ly in i- 
derway. 12 This involves the engagement of 
service providers” who will be respons i- 
ble for enrolling individuals for utr>, ard 
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at a later stage, involved in authentication 
(including at the worksite using hand-held 
devices) of workers. 

The consequences of tnis sort of re-en- 
gmeeting arc likely to be disastrous for 
the NRfio fi. .lob cards issued in 2006 are 
due to ccpire next yejr. If, for example, 
the Min nry of Rut a 1 Development links 
the provision oi n :wjob cards to getting a 
uid, many workers are likely to be denied 
work fot sometime to come.* 1 There is a 
real dan;.ei that tiiose who do not enrol 
w*l» be P nod away fiom the nrc^a Wc 
have alt "gdy leant this lesson - the hard 
wrty - v;hen the transition to bank pay¬ 
ments was made. Poorly equipped and un¬ 
derstaffed brnks and post offices were ex¬ 
pected t< • open millions of nrega accounts 
ovrmigh Those workers who did not 
have sue mnts began to be denied work. 

Moving on to the pd s, one of the pro¬ 
posals rooted by the unvi is that pd? 
dealers buy their grain from the open 
market .it the market price but supply it to 
pds beneficiaries at a subsidised price 
fixed by :tie go^ei nment. When a benefici¬ 
ary buy:; his/her ration, she/he would be 
required to give the uid number and be 
authent rated biometrtcaHy. Once :his is 
done, il*:: dealer would be reimbursed the 
different e between the market price and 
the sub? idised price with a small commis¬ 
sion (Gt vern nr.cnt of India 20!ob: pp 4 5 
find p t;;). It is expected that since the dif¬ 
ference between the market price and the 
sale price i« reimbursed only when the 
dealer .51 Us 10 the intended beneficiary, it 
will ensure that the dealer does not sell on 
the black market 

Interesting!)' the origin of this new 
model f:*r the ro:; can be traced to a study 
commissioned bv the India office of the 
World n ank (A ha sail et al 2008). The con- 
rultanis tirotn a software vending company 
called ( a(2Cal) prepared a report wheie 
the use of smart cards and biometrics as 
well as purchase of grain from the market 
was proposed (CabCal 2008). This pro¬ 
posal was modified slightly by the Plan¬ 
ning O: emission - instead of dealers buy¬ 
ing fror 11 he ooe.i market at market price, 
in the Planning Commission proposal the 
dealeu arc to be supplied‘by the Food 
Corpora non of India H 
Such i\ proposal, involving a major 
overhaul of the current system, would 
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nci d to be discussed and tested on a pilot 
ba* is. Possible abuse needs to be explored 
an l debated in a transparent manner. For 
in*ranee, informal field visits to Chanch- 
g«» h to study smart cards revealed that 
ae. lers keep the swiping machine inside 
thr shop, ^nd buyers have no way cf veri¬ 
fying what if being punched into the 
in; chine. This suggests that even the smau 
ca.d requires adequate safeguards (c g, 
us ng automated receipts, voice-overs, 
eul against "deception”. In some circum¬ 
stances smaf caids cou l d even facilitate 
fraud, e g because people do not ur.dei- 
str nd the whole tecnnclogy (unlike entries 
m jation cards). 

If the benefits of the uid project to two 
mejor existing socir! wclfire programmes 
(n<ega and pds) are marginal and unccr- 
tam, why is the government rushing 
ahead with it? In fact, the uio proiect with 
bi< metric authentication is very well oiuted 
fo a particular type 0! welfare scheme, 
na meiy, cash transfeis. Nandan Nilekam’s 
/rr agmmg India refers to such a proposal. 
"Ai rr-enabted, accessible national id system 
would be not!ling less than revolutionary 
in how we distribute state benefits and 
welfare handouts" (Nilekani 2008: 372), 
"1 be state could instead transfer benefits 
di ectly in the form of cash to ban!; ac- 
ccants of eligible citizens, based on then 
in :omc ieturns or ass^s” (ib«d* Plan 
ning Commission documents have also 
floated this idea.* 5 Cash transfers as a we! 
fare measure are very different from both 
the nrega and pds. If it is the intention of 
the government to transition to cash 
trinsfers, then the government must be 
trinsparent about this proposal and allow 
a aubhc discussion of it. 16 

4 LSE Identity Project Report 

A project such as the uid raises a range of 
concerns/ 7 Though these are not the sub¬ 
ject of this article, it is worth flagging these 
is ues for the interested reader. These con- 
cims have been comprehensively docu* 
ir snted by the London School of Economics 
m id Political Science Identity Project report 
(henceforth lse 2005). Though not entirely 
compaiable, there are several parallels 
between the uk Identity Bill and uidai ,s 
First, the now-scrapped uk Identity Bill 
(uk-id) was envisioned as a project foi 
"c ombating terrorism, reducing crime and 
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illegal working, reducing fraud and suengch- 
cning n<u tonal security*’. 19 The uid project 
also has its origins in a national seaiucy 
project (as ad mined by the chairman of 
ihe uilai mmsciO-” 1 ' Since the ionnacion 
of th*. uioai, it hrtS been pi ejected as an 
inn > ime to promote. 1 social inclusion -* 

St-LOHu, in L>och cases there seems to 
lun*. txen a tendency to make unfounded 
cku vti Tot instance, as discussed earlier, 
the uioai claims thar millions of Indians 
ate ivithout any .denmy vvhtch is the cause 
of them being excluded from the go vein- 
mcucs ichtroes. In che case of Che lic-'d, 
tik* t *' uoos! re pore states “Many cf r!\e 
datnis t untie about the prevalence of iden- 
oty itaud ate without foundation" (p 9) 
Simd.uiy, in bochcountries, die concerned 
auihckiiies seem 10 have overplayed the 
UKideiK' 1 of* “identity fraud 1 ’ (or, in the 
Indian context and uioaj's jargon, fix? need 
for 1 Je-«Uvphcation’') in the social sector. 22 

fhiri, both projects have raised legal 
concerns, e g, the lsc (2005) repot i 
brought up die question of compromise or 
conflict with othei laws (Disability Dis¬ 
ci tmmauon Act, Race Relations Act, Data 
Protection Act to name a few). Fiirrhei, 
•be leuott states “The legislation places 
1 equipments on individuals and organi¬ 
sations that are substantial and wide- 
ranging, and yet no indication has been 
given n lacing to how inability would be 
esmbhslted, who would asses: that liability; 
oi woo would police it ’ 5 (lse 200s. 13 ) On 
the othei hand, the draft nioa: Bill (which 
was placed on die utOAt’s website) had 
similar clauses, wtiereby individuals had 
lespousibilities but with little obligation 
on the authority. 23 On the question of 
ovei sight too there are similar concerns in 
both projects (lsc 2005. 13, Dreze 2010 
and Krish naswamy 2010). 

Fourth, the lsi*. (2005) report questions 
the project on technological (especially 
plated to the scale of the project) and 
financial grounds. The lse (2005) report 
is abo quite circumspect on the question 
of biometrics (pp 169-86). Two othei re¬ 
ports suggest that che science of biomet¬ 
rics is not quite as exact as is commonly 
behoved These repotts further question 
the scalability ol such an exeicise.” 

Finally, and most surprisingly, m India 
no m?i tents discussion of the cost of cite uid 
ptoiocr has taken place. Despite seveial 


demands for n cost benefit analysis, then.- 
is no such repoic so lat. Interestingly, one 
of the mam justifications for scrapping the 
identity project in tlu* uk was ics cost 

Concluding Remarks 

The uid is projected as a “revolutionary' 
initiative, with unpieredented gams m elft- 
neocy and transpairncy in this paper, 1 
aigued that several claims are unfounded 
or exaggeiaied and u Ilea a superficial un- 
detstanding of the problems aidieting tfij 
implementation of wrizga and the pds. As 
discussed cailier, cliete is little that the uid 
c.in do to unpro /<? implementation of nreca 
In the pds, iheie ate t.vo p* oblems to which 
die uio can contribute: last mile authenti¬ 
cation and elimination of bogus cards. 

An important caveat to bear in mine! is 
tha f die uid can contribute to out is not 
necessary for, resolving diese problems. 
The uid is one of several technological 
innovations that is possible What is not 
mentioned in the uin-u's documents is that 
many of che proposed technological in¬ 
puts can be implemented A'uhout a costly 
uid. Othei options are available (e g, the 
use of food coupons 0: smart cards 101 
last mile authenoc.ition). These option.*, 
may well be cheaper, less disiuptive, and 
more people-friendly (e g, easiei to undet- 
stand), and have the additional advan¬ 
tage of haying been tested on some scale 
in some parts of the country. The tendency 
w conflate all technology measures with 
uid creates the impulsion that ir is a nec¬ 
essary condition for refoi m 

Needless to say, technology can contrib¬ 
ute ro improving the efficiency of these 
programmes, and is often welcome. Ex¬ 
amples of cost-effective technology chat 
enhances tianspaiency and empowers 
people are readily available - eg, computei i- 
sauon of pds operations in Chhattisgarh 
and Tamil Nadu, sms- based alert systems, 
and so on. Fuithei, other measures for 
transparency cannot be discounted simplv 
because they do not involve technological 
inputs. For instance, in Rajasthan, 1 trails- 
paiency walls" listing all job cards issued, 
along with days of employment m a 
paiticulai fi". uicial year allow people to 
monitor nreca expenditure just as much 
as the on-line mis. Howevei, even techno¬ 
logy has ns limits One issue jelated to this 
that has not been discussed adequately is 


the feasibility of maintaining an updated 
database of close to one billion people. 

Finally, the possible disruption thar the 
tiansition to a uid -enabled system can 
cause must be faced squarely by the gov¬ 
ernment. The uid’s contribution to plug¬ 
ging leakages is likely to be marginal in 
the case of the pds, and even less in 
nugga However, these marginal benefits 
can he realised only by making a whole¬ 
sale migration to a new, complex and un¬ 
tested system. In rhe process, thc’*e is a 
real danger that the uid will end up hurt¬ 
ing the very people it seeks to help. 

It is time to go beyond rhe hyped bene¬ 
fits of uid and to recognise mac, if it suc¬ 
ceeds, the benefits m nrega and pds will 
be quite modest. If the uid project is to 
pave the way for cash transfers, the gov¬ 
ernment needs to state this upfront and 
allow public debate on :he issue. 
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j On iliese issues see Obr zy Uoiol, Dreze (2010). 
Cupr* (2010), Mariuganti <2009), Kamanachan 
(2010a. 2010b and 2010c), Ramkumar (20:0), 
Shau'in C2010; and SI'uk )b (2010). 

2 This, pari of ihe papei dauorares live discussion in 
an carhci article Sec Kluia (20101. 

3 See Adhikari and BIkuu (2009) lor details <im fl»e 
picblcins. advantages and labourer's perceptions 
of che -rinwMon to hank/post office payments. 

4 On rhe issue of cou option and the transition to 
bank and post office payment of NRECA wages, 
see Siddharth and Van.uk (2006), Orcrc end 
Khera (200K), and Adhikari and Bh.uia (2010) 

5 “There aie 75 million homeless people in the 
country and a lot of nom.4dic people — all of them 
don’t have an ID. VVc think UID will enhance their 
access 10 public services' (Chanperson Nandan 
Nitekai 1 in I ml'an Fa/jivs* 2029) 

6 intiiguingiy, the portability claim is repeated in 
at least four places in iheir paper on the PDS. 

7 Si. ce these claims have begun to he debunked, 
ihe UIDAI has responded by qualifying ics state¬ 
ments Foi instance in a recent Tehcika interview, 
the problem of “no identity*' was -eferftd to as a 
pioblc'm of “no mobile identity" (Vats 2010b). 

6 The third category. 1 e, inclusion errors (or mis* 
classified cards), is known to be quite large. Since 
UID cannot fix that, I focus oil duplicates and 
ghosts here. 

9 Tamil Nadu lias actually computerised ope rations . 
so that it is possible to gee real time stocks in each 
ration shop in the stare (Personal communica¬ 
tion, MVS Moni, managing director, Tamil Nadu 
Civil Supplies Corpoiadou.) 

10 In these scenario, it is still possible for the dealer 
to “extort** grain after the coupon is deposited, or 
the card is swiped, or biometrics are autlteniicaced 
Yet it would mark an improvement in those areas 
where dealers can get rwuj by saying tliai the 
grain has not reached htru. 

11 Inter-operability is another claimed benefit, hut 
this benefits the government, not the claimant 

12 The Ministry of Rural Development has put out a 
Rs 2,162 aorc tender foi thii purpose. See documents 
available online at http //nrcga.mc.in/circular/ 
eoi_conccpt.htm 

13 b> Hus scenario, the UiD heoomes* mandaiury de facto 
- (Jus is \shai “demand-diiveu*' UID will translate 
into The likelihood oflabourers being explained 
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that enrolment I* voluntary seem somewhat a^irr 
espedally In poorly governed parts of the Mry 

14 Sec Plannlr.g Commission (2010ft and 2 uob) 
Note again that even this model does not lit ccsst 
tatc the use of a UiD type database. It only need: 
biometrics or smart cards 

tS See Mehroira (2010) Several have mode ill's sug 
gestion, e g, "I vetuure to say that Aodhnfr wil 
enable us to put in place a we I!-functioning socln 
sa.Vy net for cmr citizens by unifying aM suKidic 
Into vash-based transfers" (Kclkoi zoic). 

16 While no puWu. statement has been made 01 > 
transitioning to cash tctmsfcis tn lieu of ’in kind ' 
food transfer* (such as PDS grains or nvd-da 
meals), the government hat announced tlw set 
ting up of a commit,ee, herded by Nilck.mi, to 
explore cajh transfers *nstc.td of kerosene, LP<> 
gas ai,ti leniliscr, According 10 newspaper report', 
the basts ror these cash transfers is a “successful 1 
pilot on smart card* being con luctrd In » few ratio 1 
shops of Haryana (on the smart card pilots, sc .* 
Narayrn 2011a and 2011b). The turrenl stroteg 
seems *o be to befuddle readers by using ’direct 
cash transfers’', "conditional cash transfers’, 
"smart cards" "UlO" "biometrics" interchange - 
ably to create the impression that rhcic r j rc th^ 
same or similor 

t7 In a sense, the UID project seems like a 7ist centur y 
inca‘nation of the 20th ccmury projects s tidie I 
by James Scott (1996) In "Seeing Like a Stott: 
How Certain Schemes to Improve the Mutual 
Condition Have Failed", ivlir re he highlight 1 "ret r 
conditions common to all planning disaster : 
administrative ordering of nature »nd society by 
the state: n ’high-modernist ideology’ that pittas 
confidence in the ability ol science to improve 
every aspect of human life; a willingness to tire 
authoritarian state power to effect large-scale 11 • 
tervembms; and a prostrate civil society that can¬ 
not effectively resist such plans." 

tfl "To give the United Kingdom ns an examp!: in re¬ 
lation to India is disingenuous The stated got! «>f 
that scheme was surveillance and immigration 
control. They already have « number, which the y 
started In 195,1 Their ID card was a very different 
project So let us not extrapolate randomly. 
The fact is ihar most countries have a n*tmbc " 
(Nilckitil in Vats 2ciob) 

19 "The Identity Cards Dill outlines an identity sys¬ 
tem that has eight components: the Naf :on<tf Me 1* 
llty Register, a National Identity Kegt/frudt n 
Number, the collection of t range of Biomctrl *s 
such as fingerprints, the Non or a/ Idcntit f Cor f, 
provision for ffdntmisrmrcve convergence in the 
private and public sectors, establishment of leg if 
oh/ijrarums to disclose personal data, crosv noli t- 
cetcion requirements, and the creation of new 
crimes and penalties to enforce compliant ui h 
the legislation" (LSE 2005* ; i). 

20 In response to the question "Isn’t the main jmrpo ?e 
security?" Nltckani said "You arc right, the gov¬ 
ernment In 2003 did modify the Citizenship Act 10 
create the National Citizenship Register, which is 
now the National Population Register but tha Y 
primarily an initiative by the Registrar General of 
India This government too) an initiative to haw a 
unique ID for developmental purposes, UID\I enr »e 
out of that initiative “ See Indian Express (2000' 

21 One headline even touts tt as the world’s large sc 
social inclusion initiative (Knowlcdge@Wharf >n 
2010). However, as noted earlier, the uniq ic 
number itself carries no welfare benefits. 

27 "Benefit fraud through false Identity is rtlntiw ly 
rare and we believe the cost of introducing in 
identiry card in the benefit* environment wot id 
far outweigh nny savings that could be made" 
(LSE 2005 hi) 

23 "Under the proposed Nuional Jdenbflcatf in 
Authority of India Bill (*NIDAI Bill’), if sonteoic 
finds that her 'Identity Information’ is wrong, sue 
is supposed to 'request the authority* to correct it, 
upon which the Authority ’moy, if it is satisfied, 
make such alteration as ma f be required’, fhert is 
a legal obligation lo alert the Authority but ao 
right to correction!" (Drizc 2010). 
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24 Sec 77k Feanonvst (2010) and Pato and MilleM 
(2010) See also Shukla (2010) who discusses the 
rcliahlit} o* various biometrics error ntes, 
costs, tie 

2; The Guuipersw of UIDAI ts aware of the unprece 
dented scale of tins project os is evident ic 
this statement "Thi is 1 massively complex projec 
ns our 'lomctric database will consist of 1.2 biliior 
record* which r 10 tiivei larger than the curren' 
large.1 'iomi’tuc re coid” (indnn Express 2009) 
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1. Introduction 

Citizens in India depend on the Government for various services at various stages of 
the human lifecycle. These services include issuance of birth certificate, voter 
identity card, ration card, driving license, passport, PAN card etc. In addition the 
government also implements different welfare schemes like Targeted Public 
Distribution System (TPDS), National Rural Employment Guarantee System 
(NkEGS), health insurance, old age pensions etc for the economic and social 
upliftment of the people. A Unique Identity (UID) assigned for every citizen would 
obviate the need for a person to produce multiple documentary proofs of his identity 
for availing any government service, or private services like opening of a bank 
account. The Unique Identity (UID) would remain a permanent identifier right from 
birth to death of the citizen. 


UID would enable government to ensure that benefits under various welfare 
programmes reach the intended beneficiaries, pie vent cornering of benefits by a few 
people and minimize frauds. UIDs are also expected to be of help in law and order 


enforcement, effective implementation of the public distribution system, defining 
social welfare entitlements, financial inclusion and improving overall efficiency of 


the government administration 


2. Enrollment 

It is expected that the Government will enroll the citizens by capturing the 
Biographic and Biometric details and issue a Unique ID number. During the 
enrollment process, it has to be ensured that the same citizen does not ge. enioLed 
more than once. This can be done by comparing tbe biometrics of the citizen with all 
other citizens already enrolled and denying enrollment in case a match is found. 
Enrollment of citizens can be done in two ways. 

(i) The enrollment can be done online by adopting a centralized architecture/ in 
which all the enrollment stations in the country are connected to the central 
server and the biometrics of the citizen being enrolled are matched / 
compared with the biometrics of all the citizens already enrolled- In case a 
match is found/ the system will not allow enrollment to be done. 

% 

(xi) The other way in which enrollment can be done is by adopting an offline 
enrollment method by synchronizing the data with the central server 
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periodically as and when internet connectivity is available or through regular 
backup of data b) means cs DVDs / Hard disks. The biometrics of the citizens 
captured through the offline method are then matched / compared with the 
biometrics of all ether enrolled citizens at the central server to identify 
multiple enrollments vf H-c same citizen. 


What is important in oota the cases- is the speed of matching and the accuracy of the 
matching results. The speed o ( matching has to be very h.gh as the number of 
citizens to he enrolleo runs into millions, fhe accuracy is equall) r important as false 
matches will result in erroneous enrollments, delays and p )tential failure of the 
project itself. It is to be noted ll*at, during the enrollment, the row images of the 
biometrics are captured and. algorithms are used for converting the images into 
templates which are used lor comparison/ matching. The speed of matching and 
accuracy of matching de yerui on the biometric captured, the a gorithm used and the 
matching engine deployed. 


3. Biometrics 

There are several Biometrics such as Fingerprints, Iris, Facal recognition. Hand 
Geometry, Signature, Vcice path: as eic. which are being used by Governments all 
over the world for an extensive array of highly secure identification and personal 
verification solutions. Each o(them has certain advantages and disadvantages which 
must be considered in developing biometric systems. Selecting the right biometric is 
critical to the ^ucceoS of any Identify Management project such as the Unique ID 
project. Key metrics boat need to be evaluated for choosing a biometric include the 
stability of the biometric over the lifetime of a human being. Failure to Enroll (FTE) 
rate, False Accept Rate (FAR), and the False Reject Rate (FRR). It is important to 
understand the advantages'and disadvantages of each biometr c and the advantages 
of going in for Multimod.il Biometric solutions 

4. Multi-Modal Biometrics 

Multimodal biometrics refers to Ike use of a combination of two or more biometric 
modalities in a single identification system. Biometric systems based solely on one- 
modal biometrics are often rot able to meet the desired performance requirements 
for large user population applical ions, due to problems sucl* as failure to enroll, 
noisy data, spoof attacks, environmental conditions and una xeptable error rates. 
Each of the biometrics his ils' relative merits and application where they can be 
used. A few examples are given below. 
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4.1 Face 

The face can be tlv* first form of identifying a person without the need for any 
external device; however, a facial recognition camera may not be able to distinguish 
between identical (wins Facial recognition works on the system identifying 9 
geometric points on a human face and international studies have confirmed very 
high "false Acceptance Rates" (3 in 100). 

4.2. Fingeiprints 

Fingerprints are ideal for verification (1:1 matching) though there are Automatic 
fingerprint Identification Systems (AFIS) which do identification (TNI or N:N) also. 
However, even m the case of identification, the "False Acceptcmce Rates" are about 
1 : 100 , 000 . 

• Fingerprint de-dupkeatiou is cost effective only for small population and the 
cost of de-duplication goes up significantly due to manual intervention 
required while doing de-duplication for huge population. This is due to large 
number of false matches thrown up during the fingerprint de-duplication 
process requiring Human intervention / Back office operations to work on the 
probable matches and thereby adding up to the costs; 

• Fingerprints are susceptible to noisy or bad data, such as inability of a scanner 
to read dirty fingerprints clearly. People above 60 years and young children 
below 12 years may have difficulty enrolling in a fingerprinting system, due 
to their faded prints or underdeveloped fingerprint ridges. It is estimated ihat 
approximately 5 percent of any population has unreadable fingerprints, either 
due to scars or aging or illegible prints. In the Indian environment, experience 
lias shown that the failure to enroll is as high as 15% due to the prevalence of 
a huge population dependent on manual labor. 

However, the advantages of fingerprints are given below 

• Fingerprint is cost effective at the time of verification. (Since at verification or 
the point of service, fingerprint devices of low cost can be used. 

- Fingerprint can be used for forensic purposes. 


4.3. Iris 


Iris recognition is the most accurate of the top three biometrics: fingerprints, 
facial recognition, and iris recognition. Iris recognition has a false accept rate 
of 1 in 1.2 million for one eye (1 in 1.44 trillion for two eyes) regardless of 
database size. As a result of the accuracy of Iris recognition. Iris returns a 
single result back. Fingerprint and face technologies generally return a 
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candidate list and ihen i manual process is required for resolving the 
candidate list. For this reason. Iris is the ideal biometric for applications which 
requiie real time identified ion. Processes such as fraud screen (to check for 
duplicates) enrol merit for large populations can be easily handled by Ins 
recognition when- they art ''cry difficult for fingerprint,. 

Iris recognition algorithms can search upto 20 million r ?cords in less ihait one 
second using a normal Quadcore - 2 Processor blad? server. In a parallel 
process, using, COTS hardware, Iris can perform at 1 billion matches pei 
second. The ability to scanh a population database in real time and return a 
single match result is tuvque to Iris recognition technology. Due to manual 
candidate list iesolution w f:h face and fingerprint technologies. Iris is the only 
biometric which delivers operational results in real time which can be acted 


upon. 

e Iris is an internal organ because of which there is no problem of 

environmental conditions affecting the Iris unlike finge ‘prints which may not 

be prominent ui ]People vvno do labor work or work 1 x harsh environments 
(e.g factories, farms, etc). 

• The Iris of a person is stable throughout a person's life (From the age of one 
year till death), the physical characteristics of the Iris do not change with age, 
diseases or environ mental conditions. Hence one time enrollment is enough 
for a person during his life! ime. 

P One of the most important -idvantages of using Iris as a Biometric is the lower 
effort, lesser M\frastruo:ure (servers, database licenses, datacenter 
infra structure etci required tor de-duplication whereas finger print de- 
duplication requires more than 50 times infrastructure and more human effort. 
Another related cosi that is normally overlooked is the infrastructure 
maintenance cost lor running such as huge datacenter like, manpower, power 
consumption, annual maintenance costs for hardware ar d software etc. 

* A comparative study of the performance of multiple biometrics done by the 
centre for Mathematics and Scientific Computing. National Physical 
Laboratory NPL oJ UK is given in the Table 1. 
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Table 1 


Biometric : 

i 

* i 

FAR 

- > / 

(False -- 
Acceptance - 
Rate) 

FRR • 

> . » * 

(False 
Rejection 
;Rate) J 

:FER-^^ 

. (Failure Kto - 

1 f i ^ c 

Enroll rate)Y 

v « 1 A * j 

> r 

Scalability: ;f; 

r i 

- **- £ s , -'r* 

/ t ' * i # ai 

-' i - .* . 

< - i '• ~ 

/%* < >?*' 
j > 

,<. v ' - $.■ 

cStaMty^i 

v f&'f *r. V/v 

_*-’** ‘ * i; 1 

^ ** * A i,- 

3c H H, 1, ^ 

•/ r'- 

f,; r > 

^ % ^ 

Iris 

1:12 

million 

0.1 - 0.2% 

0.5% 

1: all search 

Very 

stable 

Fingerprint 

1: 100000 

2.0 - 3.0% 

1.0 - 2.0% 

1: 1 match 

Changes 

Pacini 

recognition 

i: 100 

-10% 

0.0% 

1:1 match 

Changes 

Hand 

Geometry 

1:10000 

10 - 20% 

0.0% 

1:1 match 

Changes 


For complete Report Please Refer - Biometric Product Testing Final Repot t (19 
March 2 001, Center for Mathematics and Scientific Computing , National Physical 
Laboratory, UK). 


The most compelling reason to adopt Multi-Modal Biometric is to introduce 
certainty in the recognition piocess, real time identification, lower effort fo** de- 

duplication and reduce the possibility of inconvenience caused by malfunctioning 

% 

of a single Biometric. 


Advantages of using Multi-Modal Biometrics 

♦ The enrollment cost for Multi-Modal Biometric, enrollment will be about 5 - 
10% marginally higher compared to single/dual biometric enrollment. 
However, the total cost of solution in case of multimodal enrollment is 
significantly reduced due to reduced cost during de-duplication which 
outweighs the marginal additional cost incurred during enrollment. 

• Single biometric enrollment results in Failure to Enroll (FTC) if those 
biometric characteristics are absent in a citizen or if they are not qualified for 
enrollment (due to scars, aging oi illegible/ worn out / cut / unrecognizable in 
case of fingerprints). In Indian conditions, where more than 60% of the 
population is involved in manual labour, experience has shown very high 

FTE rates for fingerprints. 


De-duplication 

De-duplication is the processing of the biometric data of citizens to remove instances 
if multiple enrollments by the same citizen. During de-duplication, matching the 
liometrics of a citizen is done against the biometrics of other citizens to ensure that 
he same person is not enrolled more than once. This will ensure that each person 
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9 P oject. Dc-duplication is discussed in the content of the two different 
enrollment scenarios wh ch are gi ven below. different 

Case I: Enrollment using a centralized architecture 

citizen have in^'' S ' n ”. ‘ ' :en '- raii zed ardiifectere, the biometrics of the 

citizens The mat *& ah sl tn » : biometrics of all th* previously enrolled 

whether the -ame^r ' S i° be ' in,K SOOJ1 after the biometrics are captured to check 

citizen JfnTt „ ? *™ 1,Cd Car,kr * In case " ™* h 15 ^nd, the 

matching V c u <n ‘° , ed UVy the -’YStem. To accompli; h this, the speed of 

comnlexftv tt ° m ' e,y h ' 5h " nd w,thout an y faIse adepts. To illustrate the 
and a ne v US ‘ ““ 200 miUion *«**« have already been enrolled 

stain 15 ^ Waiti ” S t0 bG enrolled **> «* sys.em at the earo-lmem 


(1) men Fingerprints ore used ,is the Biometric. 

Tlie number of matches to be performed and the time 
beicw. 





*. ...O" 


.. i 11 


ft-* 


Imp 


token is shown in the'table 


ipisi 








No. of matches ,f 1 finger (say left On,mb) is loo m"on 

m n f/'li /i J • . .< 


matched against nil left thumbs of 


previously enrolled ril izp-is 
No. of matches if all lOli^rTTre rmil^ 
against the respective lingers o: all (he 
-previou sly enrolled cit izp 15 

No. of matches if a lili7'‘(ol' 1 r ; ^~ l T7 
matched against all the fingers of all the 
previously enrolled ritispng 



2000 

million 

^0000 

million 


■jsssmsa 


a 


|gp 

riiM 


40 secs 


400 secs 
(6.67 minutes) 

4000 secs 
(1.11 hours) 


(2) When Iris is used as the Biometric. 

The number of matches to b<> performed mH n-, D .1 . , 

below. ' P d nd the me tak en r, shown in the table 
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St _ ft H 

,■ '' 1. 

*<. 

; (Assuming;; a|« 
servers-iy^th 
matching*: capacity; pf: 
200 million per sec) i v’' 

No. of matches if i eye (say left eye)agamst 
ail left eves of previously enrolled citizens 

200 million 

1 sec 

No. of matches if both eyes arc matched - 
against die respective eyes of all the 
previously enrolled citizens 

400 million 

2 secs 

No. of matches it both eyes are matched 
against both eyes of all the previously 
enrolled citizens. 

800 million 

4 secs 

* 


Thus i( can be seen that the Iris based online enrollment is many times faster 
compared to the fingerprint based enrollment. Moreover, die fingerprint based De- 
duplication throws up false matches which have to be crosschecked with the photo 
or other parameters before deciding the accuracy of the match. 

Case II: Enrollment us mg a De-centralized architecture 

In the case of enrollment using a De-centralized architecture., the biometrics of 
citizens captured during a certain period have to be matched against the unique ID 
enrollment database of all the previously enrolled citizens. The matching has to be 
done by aggregating the data from each of the decentralized enrollment stations and 
matching against the de-dur>Ucated biometrics of all the previously enrolled citizens. 
To illustrate the complexity, let us take the case where 200 million citizens have 
already been enrolled, and a data of 1 million citizens has been aggregated from the 
enrollment stations. The data of the i million citizens will have to be matched 
against the 200 million citizens to avoid multiple enrollments. 

(1) When Fingerprints are used as I he Biometric. 

The number of matches to be performed and the time taken is shown in the table 
below. 
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463 days 
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take 50 times the number of servers adopted for Iris based De-duplication. In 
addition to tire increase in timelines and hardware, the number of false matches 
thrown up in Fingerprint based De-dupiication would require large manpower to 
use other comparisons such as photos to eliminate the false matches. 

C. Conclusion 

Choosing tire right biometrics plays a very important role for ensuring the success of 
die Unique ID project. While Ins as a biometric ensures high mat clung speeds and 
high degree of accuracy which are very essential for large Unique JD projects, 
fingerprint as a biometric will be economical for verification at the Point of Service. 
Thus the use of Multi-Modal biometrics will enable Governments to reap the 
advantages of both in the most optimal manner 
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1 Executive Summary 

The Unique Identification Authority nf India (UlDAi) was set up by the Govt, of India on 
28 January 2009. The purpose of tin U1DA1 is to issue Unique Identification numbers to 
all residents in the country The AuU ority set up a Biometrics Standards Committee in 
order to frame biometrics standards for use by the UIDAI and its p irtners. The first 
deliverable of the Committee was to ft am: biometric standards ba ;cd on existing 
national and international standards, with ihe consensus of variou s government 
stakeholders.The second celive^abl. was to recommend appropriate biometrics 
parameters to achieve the JIDAfs mandate. The second goal of the Committee 
encompassesbest practices, expected accuiacy, interoperability, conformity and 
performance in biometrics standaicl 


After reviewing inte r natio)ial standards and current national reco nmendations, the 
Committee concluded that the ISO l'»794 series of biometrics standards for 
fingerprints, face and iris set by' the International Standards Orgai izalion are the most 
suitable. There standards nre wide *y accepted, and best embody p *evious experiences 
of the US and Europe with biometric; The standards framed for tl.e UIDAI are 
accordingly, fully compliant with tin respective ISO standards, and are given in Sections 

7 through 11. 


The Committee notes that Face is thi ■ most commonly captured bii metric, and 
frequently used in manual checking However, stand-alone, automatic face recognition 
does not provide a high level of accuracy, and can only be used to supplement a primal y 
biometric modality. Fingerprinting, the oldest biometric technology, has the largest 
market share of all biometrics model ities globally. The fingerprint industry also has a 
variety of suppliers and a base of experienced professionals necessary to implement the 
unique identity managemc ntsolutum at the scale that India requires. Based on these 
factors, the Committee recognises that a fingerprints-based biometric system shall be at 
the core of the UIDAI's de-duplicatu:n efforts. 


The Committee however, is also cor scious of the fact that de-dupi .cation of the 
magnitude required by the UIDAI has never been implemented in the world. In the 
global context, a de-duplication accuracy of 99% has been achieved so far, using good 
quality fingerprints against a database of up to fifty million. Two f ictors however, raise 
uncertainty about the accuracy that can be achieved through finge rprints. First, 
retaining efficacy while scaling the database size from fifty million to a billion has not 
been adequately analysed Second, linger print quality, the most important variable for 
determining de-duplication accuracy has not been studied iri dep:h in the Indian 
context. 


The Committee therefore field extensive meetings and discussion; with international 
experts and technology suppliers. 4 technical sub-group was also formed to collect 
Indian fingerprints and aralyze quality. Over 250,000 fingerprint images Irom 25,000 
persons were sourced from district 1 , of Delhi, UP, Bihar and Orissa. Nearly all the images 
were from rural regions, and were collected by different agencies using different 
capture devices, and through diffe *- nt operational processes. The analvsis reported in 
Section 12.4 and the associated An flexure show that the UIDAI cojld obtain fingerprint 
quality as good as seen in develop** :i countries, provided that pro >er operational 
procedures are followed end good quality devices are used. On the other hand there is 
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data to suggest that quality and therefore the accuracy drops precipitously if attention 
is not given to operational piocesses. 


The demographic data (non-biometric data) is also used for improving de-duplication 
processes, it reduces die amount of manual labor required to establish genuine 
duplicates from a possible list of duplicate matches. 


Further, it has also been observed that Ins, which for a long period of time was under 
the proprietary domain, *s emetgmg as an impoi tant biometric modality after 
fingerprint and face. The accuracy and speed of iris-based systems currently deployed is 
promising and may be feasible in large-scale de-duplication systems. 


Finally, it is possible to combine multiple biometric modalities including multiple 
fingerprints to increase overall de-duplication accuracy 




Recommendations 


Based on the above deliberations, the Committee makes the following principal 
recommendations: 


1. Tin* Committee expects that the UIDAI could achieve at least 95% de-duplication 
accuracy using moderately good fingerprint images for a database size of 1 billion 
Empirical image quaiity data or Indian ground conditions clearly show that such 
accuracy is achievable. In the global context, a de-duplication accuracy of 99% has 
been demonstrated to be achievable using good quality fingerprints against a 
database of up to fifty million. 

2. In order to capture moderately good fingerprint images, a few simple but critical 
techniques during enrolment should be consistently followed, failing which material 
reduction in accuracy would occur. Manual and automated monitoring should he 
utilized to ensure consistent use of good enrolment practices. 

3. In view of the above, the Committee feels that the UIDAI should collect photograph 
and ten fingerprints as pe** ISO standards described in Sections 8, 9 and 19. 


4. 

5. 


6 . 


Biometrics data aie national assets and must be preserved in their original quality. 
la other words, quality must not be compromised through lossy image compression 
during storage or transmission. 

While 10 finger biometric and photographs can ensure de-duplication accuracy 
higher than 95% depending upon quality of data collection, there may be a need to 
improve the accuracy and also create higher confidence level in the de-duplication 
process. Iris biometric technology, as explained above, is an additional emerging 
technology for which the Committee has defined standards. It is possible to improve 
de-duplication accuracy by incorporating iris. Accuracy as high as 99% for iris has 
been achieved using Western data. However, in the absence of empirical Indian 
data, it is not possible for the Committee to precisely predict the improvement in the 
accuracy of de-duplication due to the fusion of fingerprint and iris scores. The UIDAI 
can consider the use of a third biometric in iris, if they feel it is required for the 


Unique ID project. 

A scheme must be designed to reward enrolling agencies for the capture of good 
quality images. 


UID Biometrics Design Standards 


5 of 5 7 


t 



fir 


ii j 


jf 1 

i 

t 

i 


’■ 
t * 

1 i 




-!■ 


- ii4 


n >; H’ n ^ > 

a.,, t^iiliiiirn. 

f j if- f k ' isr* »t”t •> *i » 

•m ’? . - 

♦l '. i<! 4 ‘ii r 14 ' 


is 4 ij** 

rifely'• 


\ 


f 


"J f"U- 


1 , 


7. Specific best practices indicated in Section 12 should be observed in order to ensure 
interoperability, vendo?" independence, conformance to standards and improved 
performance. 

8, The UtDAl along with o :hei stak* holders should establish center(s) for on-going 
biometrics research, and pi ovide reference implementation of enrolment process 
software designed for l icikihcc idicions. 


♦ 


r 
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introduction 







The UfO Authority of India (UIOAI] has been setup by the Govt, of India with a mandate 
co issue a unique identification number to every resident in the country. The UIDAI 
proposes that it create a platform co first collect the identity details of residents, and 
subsequently perform identity authentication services that can be used by govei nment 
and commercial service providers. A key requirement of the UID system is tc 
minimize/eliminate duplicate identities in order to improve the efficacy of the service 
delivery. 


The UIOAI has selected die biometrics feature set as the primary metnod to check for 
duplicate identity. In order to ensure that an individual is uniquely identified in an easy 
and cost-effective manner, it is necessary to ensure that the captured biometric 
information can be used to carry out de-duplication. Consequently, for government and 
commercial provide; s to authenticate the identity at the time of service delivery, it is 
necessary that biometric information capture and transmission are standardized across 
all partners and users of the UlD system. 


The Government of India has in the past set up a number of expert committees to 
establish standards for various e-governance applications in the areas of Biometrics, 
Personal identification and location codification standards. These committees have 
worked out standards in their respective categories, which may be uniformly applied 
for various e-governance standards. 

As the UIDAI proposes to use biometrics for de-duplication and 
verificaiion/authentication, it becomes essential to review the applicability and 
sufficiency of these standards in UID applications. It may also be necessary to enhance 
or clarify these standards,, and frame the methodology for the implementation of 
biometrics toensuie that they sei ve the specific requirements of the Authority. 
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3 Objective 


The IJ1DA1 biometrics committ ee ("i k- Committee”) was constituted to provide the 
UIOAI with direction on die bi< met * <:> standards, suggest best practices and 
recommend biometric mocalities for the UID system (Annexure l). 

The objective efthese biometrics specifications is to ensure consisrent good quality 
biometric images and roliaole mtero jerability across biometric ca pture devices, captu 
software and UiD service delivery. 


The success of the Unique ; D is solely based on its ability to detect and eliminate 
duplicate identities during the enrolment process. The primary me thud for detecting 
duplicates will be through the comp srison of the biometric feature set, which requires 
consistent, high quality imager. A good biometric implementation design that ensures 
consistent quality from a variety of I iometric capture devices is therefore, essential. 


The biometrics will be cap ured foi mthentication by government departments and 
coinmeicial oiganizations at the turn ofsei vice delivery. They wi) irn'a^ably use 
capture devices and bieme trie softM are vendors different from the devices and 
software used by U1DA . Consequenily, biometric standards are essential to ensure 
reliable interoperability at reasonable cost* during the authenticat on phase. 


The purpose of this dorurr ent is to identify applicable standards and recommend best 
practices to the UIOAI to achieve it? objective. 
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4 Scope 


* To develop biometric standards that will ensure the interoperability of devices, 
systems and processes used by various agencies that communicate with the UID 
system. 

- To review the exiting standaids and, if required, modily/extend/enhance them so 
as U) serve the specific requirements of the LMDAL 

- To specify design parameters of the standards that will be used for the UiO system. 


To estimate the accuracy achievable using different biomeo ic modalities in the 


Indian environment. 


* To make recommendations to the UIDA1 on the use of biometric modalities. 

From the standpoint of the biometrics industry, the UID “system is a civilian application 
ofbiometrics. Although the primary focus is the UID system, the Committee believes 
that the specifications should meet the needs of all civilian applications. The Committee 
considers forensic application requirements out of scope. 
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5 Target Audience 

Any person or organization involved in designing, testing or implenenting UID or UID 
compatible systems for die central gf ^ernrnent, state government ur commercial 
organizations 

Any vendors and integrator s of biom-itnc devices and software targeting UID system 
compatibility. 
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6 Normative Reference 

The following reference documents are indispensable for the application of this 
document. 


IAFIS-iC-0110 (V3), WSQ Gi ay-scale Fingerprint image Compression Specification 1997 

ISO/1EC 15444 (all parts), information technology - JPEG 2000 image coding system 

IS0/f£C 19785-1 , 2006. Common biometric exchange formats framework - Part 1: Data 
elements specifications 

ISO/IEC 1979^-2:2005. 3iometric data interchange formats - Part 2: Finger minutiae 
data 


ISO/IEC 19704-4:2005. Biometric data interchange formats - Pai t 4: Finger image data 
ISO/iEG 19794-5:2005. Biometric data interchange formats - Part 5: Face Image data 


ISO/IEC 19794-6:2005. Biometi ic data intei change foi mats - Pair 6: Iris Image data 


ISO/IECCD 19794-6 3. Biometric data interchange formats - Part 6: Iris Image data 
working group draft 


MTR 0460000022. (Mitre Technical Report), MargaretJLepley, profile for 1000 
Fingerprint compression. Version 1.1, April 2004. Available at 

hltp://www.mitre.org/work/tech napers/tech papers 04/ieplev_fm^erf)r,int/leplev fi 
ngcrprim.pdf 
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7 Standards 

In the current IT world, as nteroper,ibihty between devices and IT systems becomes a 
growing concern, the quesi ion is net whei her to use standards but which standards to 
use. ANSI, INCITS, CEN, Oasis and 1 are just a few of the prominent agencies with 
published biometrics stanc arcls. Afo r reviewing the charter of each body and current 
state of biometrics in India, thr Committee selected the ISO standard. Within tne ISO 
oody of biometrics standards, the Committee will use data format standards. These 
standards are widely supp nted by vendors, and are used extensively. ISO data format 
standards also contain the ma dmum empii ical information on usege, interoperability 
and conformance. 
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8 Tailoring of Face Image Standards 


The UIOAI Fingerprint Image Standard will adopt ISO/IEC 19794-5 Face Image Data 
Standard as the India,i Standard and will specify certain implementation values 
(tailoring) and-best practices. 




Sejtfon 7 Mi^itvi/^hutogrT'jMuc Tequirii.r.^ms 


The UiOAi will require face images tor human visual inspection and duplicate check on 
a small subset. Visual inspection and automatic matching accuracy is directly related to 
the quality of the images. Therefore it is essential that the highest quality of images be 
consi ere n dy ca p tured 


b , i.. 1 i * if JinCul Kibblli _»i tu Aul' j vC 11 u-< Ut fC, 


Defining the values for face image standards as shown in Section 7,2, table 2. 


Face Image 

Scan I Color Space 

Source 

Inter-eye 

Facial Expression 

Type Code 

resolution 

(dp.) 

Code 

Type €ode 

distance 

(pixels) 

Code 

- 

Full Frontal : 

300 

24 bit RGB ' 

0x02 

120 

€:<01 

(0x01) 


/0x01) 

0x06 | 


r- 


is.i.2 luurce iype 

Static face images (Code 0x02} from a digital still-image camera are strongly 
recommended. Single video f ames from a digital video camera (Code 0x06) are also 
acceptable. 

tii.i.Zi Lhtoression 
» 

Face images should have neutral expression (non-smiling) with both eyes open and 
mouth closed. 

. Pi 1 i»C 

Roll, pitch and yaw angle should not be more chan ±5° (Figure 4 of ISO 19794-5). 

8.2 Section 7 image Compression Algorithm 
•12.1 for Enrolment 

* 

For enrolment, uncompressed images are strongly recommended. Lossless JPEG 2000 
color compression will be accepted for legacy purposes only. 

iC.2,2 For Authentication 

Code0x01 - JPEG 2000 compression is recommended. Maximum compression ration is 

10 . 

X. 3 F-dt.e RecordFuri-i.il 
£.3.3 C13CF1" HoadC't 

The UIOAI will not use information defined in Section 5.3 of ISO document 

o.3.2 Facial Record Header 

The UIOAI will maintain single facial image. 
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8,3.3 Facial Information Block 
The UIDAI will not use information <: 


e fined in Sections 5.5.1 to 5.5.5 of ISO document 


8.3.4 Feature Point Block 

The UIDAI will not use geometric feature points deiined in Section 5.6 of ISO document. 


* 
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9 Tailoring of Fingerprint image Standard 

The UIDAI Fingerprint Image Standard will adopt ISO/IEC 19794-4 Fingerprint image 
Data Standard as Indian Standard and specify certain implementation values (tailoring] 
and best practices. 

Section 7. linage Acquisition Requirements 
The ouplicate check during the enrolment phase will use 1:N matching 1:N matching 
foi large gallery size and high enrolment rate will require substantial computing 
resources. The matching time and matching accuracy is directly related to the quality of 
the images. Therefore it is essential that the highest quality of images be consistently 
captured, it is also requiied that ah ten fingers are captured whenever physically 
possible. 

The goal during authentication is to achieve fast ovei all response while permitting a 
wide variety of capture devices and associated software. It is sufficient to capture only 
one or two fingers for reliable 1:1 authentication. The image quality needs for 
authentication are not as stringent as in enrolment. 


r b j.I For Enrolment 

Setting level 31 or higher as shown in Section 7.1, table 1 


-- 

Setting 

level 

Scan 

resolution 

fppern] 

Scan 

resolution 

(dpi) 

Pixel 

depth 

(bits) 

-j 

Dynamic 

range 

(gray levels] 

“ 

Certifications 

_J 

IS 7 

500 

8 

200 

EFTS/F 


*•*,1.2 for Authentication 

Setting level 28 or higher as shown m Section 7.1, table 2 


Setting 

| level ; 

\ 

\ 

Scan 

resolution 

fppcin) 

Scan 

resolution 

(dpi) 

Pixel 

depth 

(bits) 

‘ 1 

Dynamic 

range 

(gray levels] 

Certifications 

28 1 

lie 

300 

4 

12 

UID 

30 

1S7 

500 

8 

80 

None 


:K2 Section 3 Finger Image record Fcuriot 


S.2.1 Section o.2.i-c image compression algorithm 


*>.P.i J enrolment 

Code 0 and 1 are strongly recommended. For legacy purposes only, lossless 
compression of code 2, 4 and 5 will be accepted. 

2. 1.2 Aui hen heat io n 

Code 4,compressed - JPEG 2000 is recommended Code 0,1, 2 and 5 are also 
acceptable.Code 3 must not be used. Maximum compression ration is 15. 


i Level 28 is not specified in FBI's Electronic Fingerprint Transmission Specifications, 
Appendix F (commonly referred to as EFTS/F). It has been created to accommodate 
certain class of new generation lower cost single finger capture devices. 
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9.2.2 Section 8.3.3 Finger/palm position 

The valid values for fingcr/pal.n portion are 0 through 10,13 through 15. 

9.2.3 Section 8.3.7 Imp res* ion typ< 

For enrolment image, only rod : 0 or ? will be used. Authentication impression can be of 
type 0,1, 8 or 9. 

9.2.4 Section 13.3,10 Fingui/paim im.ige data 

The estimated optimal Hngerpi mt image captured under aforemer tion^d specification 
of this standard in bitmap is 7.5MB per subject. 


* 
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1C Tailoring of Minutiae Format Standard 

UlO Minutiae Format Standard wiU adopt the ISO/IEC 19794-2 Minutiae Format 
Standard as die Indian Standard and specify certain implementation values (tailoring) 
and best practices. 


10.1 Section 7.4 


'{ 

. i 


) t 


repression Type 


Forenroiment unage, only code 2 0 or 9 will be used. Authentication impression can be 
of type 0,1,£ or 9. 


10.2 Scoriaii T.S Emended Data 

While the extended data area allows for the inclusion of proprietaiy data within the 
minutiae format, this is not indented to allow for alternate representation of data that 
can be represented in open manner, as defined in iSO/IEC 19794-2. In particular, ridge 
count data, core and delta data or zonal quality information shall not be represented in 
proprietary manner to the exclusion oTpublicly defined data formats. 


The UID authentication process will not utilize extended data area for verification. 




2 Codes specified in ISO/IEC 19794-4, Section 8.3.7 are newer and superset oi this table. 
Hence the reference is made to ISO/IEC 19794-4 Table 7. 
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11 Tailoring of fris Standards 

UiD Iris Image Standard w 11 adopt the iSO/IEC 19794-6 Iris Image Data Standard as the 


Indian Standard and speedy certain implementation values (tailor ng) and best 
practices. The currenc (2005) ’'srs’Ti is under revision. A new ver ;ion (2010) is 
expected to clear tne ISO/IEC J7C 1/ >C .67 sub-commictee in January 2010. Therefore all 
references below are to the Ia< est ( N ovember 2009) draft of the pt oposed standard. The 
Committee will revise this seel ion alier the ISO standard is publish ed. 


11.1 Section 7A2.2 Kind 

Allowable values are KIND- V GA (21 ,md K!ND_CPOPPED (3) in Table 5. 

11.2 Section 7.4.2.4 Ima^ e dale 

Every effort must be m ide by the ve ndor to register Capture Device Vendor ID and 
Capture Device Type ID with the appropriate registration authority. K is strongly 
recommended that these f.eids as di sci ibed in Table 6 not be filled with zero value. 


It is strongly recommended that quality information consisting of Quality score. Quality 
algorithm vendor iD and Q uality algirithm ID as described in Table 6, shall be provided. 
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12 Best Practices 

Specific recommendations for each modality listed below are based on prevailing 
standards, best practices followed by international users and the ground reality in India. 


l2 1 face 


Key Decisions 

Decision 

Type 

Summary of Decisions 

Enrolment 




Image capture 

R 

Full frontal, 24 bit color 



Digital/Photographic 

requirements 

R.S 

Per ISO 19794-5 Section 7.3, 7.4, 8.3 
and 8 4 with Section 8.3 of Technical 
Corrigendum 2. 

Inter-eye distance - minimum 120 
pixels. 


1 1 1 * 

Pose 

S 

Per ISO 19794-5 Section 7.22 

— 


Expression 

R, S 

Neutral expression. Specified as best 
practices. 



Illumination 

S 

Per ISO 19794-S Section 7.2.7 



Eye Glasses 

S 

Per ISO 19794 5 Section 7.2.11 



Accessories 

R 

Permissible for medical and ethical 
reasons only. 



Multiple samples of 
face 

M 

Yes Recommended for automatic face 
recognition. 


Operational 

S 

Per iSO 19794-5 Section 7.2.4 - 7.2.10 


! Assistance 

R 

Yes. Specified as best practices. 

-1 

1 4 

Segmentation and 
feature extraction 

M 

Recommended for automatic face 
recognition 

■ ' 

Quality check 

R 

Yes. Specified as best practice. 

4 

Storage & compression 

S 

Uncompressed image strongly 
recommended. For legacy reasons, 
lossless [PEG 2000 color accepted. 

Authentication 



■■■ '*i 

* 

Image capture 

R 

Same as enrollment 

* 

Compression 

S 

JPEG 2000 color compression 
recommended. Compression ratio to 
be less than 10:1. 

i 

Number of Images 

R 

One full frontal image 


filViiv 2 Fact* hnagt- 
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12.2 Fingerprint 


Enrolment __ 

Image capture 

_ Plain or rolled _ 

_ Number cf fin jen __ 

_ Device rh a racteris I ics 

_ Quality check _ 

Operation al_ 

_ Assistance _ 

_ Corrective me :su 

_ Storage & trar.smissioi i_ 

{Compression 


_ Storage form at_ 

_ ? Minutiae format _ 

Multi-finger ft) sio 1 
algorithm _ 
Authentication 

_[ Ima ge capture _ 

Number of finder; 

““n — _ ^ 

__, Any fingeroption 

_ Retry _ 

Device c h aracterist ics _ 

_ Transmission form at_ 

Compression 

_ Minutiae format 

Figure 3 fingerprint 


_ P lain, live sea n_ 

_ Jen_ 

_ ^t ling level 31 or above, i .FTS/F certified 
Yes - specified as best pra :tice _ 

Yes - Specified as best practice 

» • ■ ^ - — _ __ __ __ 

_ Yes - Specified as best pra ctice__ 


Uncompressed images strongly 
recommended. For legacy reasons lossless 
J PEG 2000 or WSQ compn ssion accept ed. 
P er ISO Section 6.3. No de ; iation necessary 
P er ISO 19794-2. No deviation necessary. 
Recommended. Application dependent. 


P No minimum, no maximur i. Appiication 

_depe ndent. Recomniendec I as best practice 

M_Y es Recommended as bes i : practice _ 

J;_ Maximum 5. Recommendc d as best practice. 

Jj_Se tting level 28 or above _ 

Jj_ Per ISO. No tailcring nece< sary _ 

S jPEG 2000 compression recommended. 

..._ Compression ratio to be less than 15:1 _ 

.5_P er ISO 19794-2. No tafior.ng necessar y 


3 R: Recommendation based on best practice/empirical data, 5: Standard based, M: 
Management judgment 
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12.3 ins 


Enrc 

Decision 

Decision 

Type 

Summary of Decision , 

< * 

dment 




image 

R 

Two eyes, > 140 pixel image diametei [170 
pixel preferred}, image margin 50% left and 
right, 25% top and bottom o r iris diameter 

■ 

■i 

Device Characteristics 

R 

Tethered, autcfocus, continuous image 
capture, exposure c 33 milh-second, distance 
>300 mrn for operator control, > 100mm 
enrollee control 

\ 

Operational 

M 

Operator controlled strongly preferred. No 
direct natural or ai tificial light ‘'eflection in 
the eye, indoor. 


Segmentation 

R 

Non-linear segmentation algorithm 

' 4 

Quality Assessment 

R 

Per IREX 11 recommendations 4 

> 

Compression & Storage 

S 

ISO 19794-6 (2010} data format standard as 
tailored in Section 11. 

JPEG 2000 or PNG lossless compression, 
KIN0.VG4 of Table A.l of ISO 19794-6 
(2010). 

Authentication I 

R, S 

. 

Same as enrollment except 

Cine or two eyes 

JPEG 2000 

KlND_CPOPP£D of Table A 1 


I'iijstrc -i it's 

I » 


I *r 

•Jm ll 


(\ 'metrics Accuracy 


The UIDAl's dierter o' assuring uniqueness across a population ot 1.2 billion peopie 
mandates the biometrics goal oi minimi 2 ing the Faise Accept Rate (FAR) within 
technological and economical constraints. 


All published empirical data is reported using Western populations and database sizes 
of tens of millions. An accuracy rate (i.e., True Acceptance Rate) of 99% is reported in 
the test of commercial system performance[23]. Two factors however raise uncertainty 
on the extent of accuracy achievable through fingerprints: First, the scaling of database 
size from fifty million to a billion has not been adequately analyzed. Second, the 
fiugerprint quality, the most important variable for determining accuracy, has not been 
studied in depth in the Indian context. 


4 |R£X 11 study conducted by NIST will be published in April 2010. It will provide 
definite empirical result of impact of image quality on matching accuracy and speed. For 
fingerprint the analogous study resulted in creation of NFIQ, NIST Fingerprint Image 
Quality algorithm. We anticipate similar outcome from 1REX II. IREX 11 will be normative 
annexure to ISO 19794-6 (2010). 
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A technical sub-group was forced i u collect Indian fingerprints and analyze quality. 
Over 2SO,OOC fingerprint imag?s from 25,000 persons were sourcnd from districts of 
Delhi, UP, Bihar and Orissa. Nearly all were from rural regions, collected by different 
agencies using differed caatusc devices and through different operational processes. 
Analysis reported in Annerure showed the UIDAI could obtain as food fingerprint 
quality as seen in developed counti n\s, provided chat proper open tional procedures are 
followed and good quality icv'ces ai e used, On the other hand the *e is data to suggest 
that quality and therefore i he rccui iicy drops precipitously if atier tion is not given ic 
operational processes. 


Based on rather extensive empirical results compiled by NISI and a first cut of Indian 
data analyzed in a shop* period, the ollowing broad categorizatior can be made 

1. The UIDAI can obtain fingerprint quality as good as that seen in developed 
countries. There is good evidence to suggest that fingerprint data from rural India 
may be as good as elsewhe e wfiun pi open operational procedures are followed and 
good quality device.; are used. T 1 ere is also data to suggest that quality drops 
precipitously if attention is not g ven to operational processes. 

2. It is possible to closely predict ti e expected fingerprint recognition performance. In 
the experiments, at 95% confidence, the sample database of a mrai region is 
expected to achieve similar accuracy as Western data. By extranolating NIST 
analysis of Western data, it is possible to conclude that fingerprint alone is sufficient 
to achieve minimum accuracy iercl of 95%, with moderately good fingerprints 
images. 


3. 

4. 


Face is an invaluable b’ometric fin* manual verification. Its potential to contribute 
materially to impro /ed FAR rate is however, limited particularly because of 
extremely large database size and high value of target accuracy 


Iris can provide acc jra:y comparable to fingerprint. Therefore fused score of two 
uncorrelated modalities will provide better accuracy than any single modality and 
could achieve the t-rget accuracy. 


Empirical data has highlighted several nontechnical factors that can impact accuracy 

more significantly than technical ac< uracy improvement efforts. 

• Simple operational quality assurance. A few simple operational techniques such as 
keeping a wettowe- or maintaining the device in good working'order can be 
superior to squeezi lg rn additional fraction of a percent in accuracy rates through 
technical improvements. Ari unchecked operational process can increase the false 
acceptance rate to over 10%. 

• In the data analyzed, 2% to 5% of subjects did not have biometric records. Missing 
biometrics is a license o commi fraud. It is believed that the f filure is due to poorly 
designed processes Tf e enrolmrnt process when examined, had loopholes which 
prevented it from dete :tin f * such omissions. 

® The biometric software needs ic be tuned to local data. Un-tured software can 
generate additional eri ors in the range of 2 to 3%. 
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Biometrics Basics 

Biometrics is the science of establishing the identity of an individual based on the 
physical, chemical or behavioural alt ibutes ofthe person. The relevance 01 oiometrics 
in modern society has been rei-iforr ed by the demand for large-sca le identity 
management systems who; e functio mlity relies on accurately dete rmining an 
individual's identity. No single biometric is expected to effectively meet all the 
requirements imposed by' 11 apphcations, in other words, no biometric is ideal, bu. a 

number of them are adiris: ibl> |.1], 

Demographic data is used along with the biometric information to improve the de- 
duplication process. For example, when a duplicate is suspected, a manual review of all 
available information ofthe person will also include a review of tb : demographic data. 

Face 

Photos ofthe face are commonly use d in various types of identifies tion cards and thei e 
is wide public acceptan ce for this bu: metric identifier. Face recognition systems are the 
least intrusive type of biometric sampling system, requiring no contact or even 
awareness ofthe subject. 1 he Jace b ometric can work with legacy photogi aphs, 
videotapes and othet image sources. 

A face needs to be well Ugh ted using controlled light sources i or automated face 
authentication systems to work wel . There are many other such technical challenges 
associated with robust face rerogrn: on Face is currently a ooor b c-netri*’ for use in e- 
duplication. it perform;; better in vet ification but not at the accuracy rates that are 
sometimes claimed. An obvious wav for an undesirable person to avoid face 
identification is by the "se of uisguse, which will cause False Neg; fives in a screening 
application. In general, iti:; a good b ometric identifier for small-s< ale verification 

applications. 

Fmgerprint 

There is a long tradition in the use offingerpiints for identification. Fingerprints are 
easily sampled with low-tost linger print scanners, i hey can also he sampled by 
traditional low-tech mean; and then cheaply and easily converted into digital images. 
Fingerprints also lend themselves very well to forensic investigation. 

There is a large variation in the quality ol fingerprints within the population. The 
appearance of a person's fingerprint depends on age, dirt, and cuts and worn fingers, 
i.e„ on the occupation and lifestyle of the person in general. Sampling ofthe fingerprint 
is through contact, i.e., pressing the linger against the platen of a fingerpnnt reader. As a 
result, there can be technical problems because of the contact nat ire of acquisition and 
problems related to the cl janliness of the finger and the platen. Additionally, there are 

people who may not have one or more fingers [5]. 

Fingerprint technology co nsti cute; approximately half of the total biometrics mai ket. 
Iris 

The iris is the annular reg on of the eye, bounded by the pupil anc sclera on either side. 
Iris is widely believed co ’ce the most accurate biometric, especial y when it comes to 
False Accept Rates. There ore the i ris would be a good biometric For pure de- 


5 IDC & Acuity Market Research Reports. 
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duplication applications. The iris sample acquisition is done without physical contact 
and without too much inconvenience to the person whose iris image is being acquired. 
Iris has no association with, law enforcement and has not received negative press and 
may therefore be more readily accepted. 

There are few legacy databases and not much legacy infrastructure for collection of the 
iris biometric. Large-scale deployment is consequently impeded by the lack of an 
installed base. This will make the upfronr investment much Higher. Since the iris is 
small sampling the iris pattern requires a lot of user cooperation or the use of complex 
and expensive devices. The performance of iris authentication can be impaired by the 
use of spectacles or contact lenses. Also, some people may be missing one or both eyes 

while others may not have the motor control necessary to reliably enroll in an iris based 
system 

Until recently, ii iscode representation and matching was ptoprietary and patented. Iris 
is emerging as the third standard biometric identifier after expiration of patents and 
changes m vendor practices. 

The gross false accept and false reject error rates associated with the fingerprint, face 
and iris modalities reported in literature are shown in Figure S [2], 


Bicmetric 

identifier 

Reference 

FRR 

FAR 

Fingerprint 

NiSTFpVTE 

0.1% 

i% 

Face 

i - 

NIST FRVT 

10% 

i% 

Voice 

NIST 2004 

5 - 10 % ; 

2-5% 

Ins 

ITIRT 

0.99% 

0.94% 


CigxU'O ~f f/\ft litul !T'll tfiYi/'" lY.trS 
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Face Image Best Practices 


Summary 

Face images will be used primarily fo*human visual inspection. However, automatic 
face recognition may be use ri a', the secondary means ofauthenticstion/de-duplication. 
Figure fi summarizes key d icisions W- far? 'mages. _ 


Key Reelsforas wj A 

"a iTl: •'! * tS "+Z- rj 

• r 11 

• DsdSion ' 

-| 'yp e 

-' Summary.of i tecis'ons/j; i" 

' - --.r-—-- ———->■ "j 

Enrolment 




Image capture 

R 

is 

\ 

Full frontal, 24 bit color 

inter-eye distance - minimum 120 pixels. 

Per ISO 19794-5 Sectio i 7.3, 7.% 8.3 and 

8.4 with Section 8.3 ofechnica! 
Corrigendum 2. 



Digital/Photograprtic 

requirements 



Pose 

. s 

Per ISO 19794-5 Section 7.2.2 

' R, S 

« 

Neutra 1 expression Specified as best 
practices. 



Expression 



Illumination 

s 

Per ISO 19794-5 Section 7.2 7 



Eye Glasses 

S , 

p er ISO 19794-5 Section 7.2.11 


■i 

Accessories 

R 

i 

Permissible for medical and ethical 
reasons only. 


— — - 

Multiple samples of 
face 

M 

Yes. Recommended for automatic face 
recognition. 


Opc 

•rational 

S 

Per ISO 19794-5 Section 7.2.4 - 7.2.10 



Assistance 

_ 

Yes. Specified as best t ractices. 


Seg 

exti 

mentation and feature 
faction 

M 

Recommended for aut miatic face 
recognition _ 


Quality check 

R 

Yes. Specified as best practice. 

> 

^ ~ ~ -j- — ■■■ . - -— - - ■■ — 

Storage & compression 

S 

Uncompressed image .trongly 
recommended. For legacy reasons, 
lossless j PEG 2000 color accepted. 

Au 

ithentication 




Image capture 

R 

Same as enrollment 


Compression 

s 

JPEG 2000 color comp ression 
recommended. Compi ession ratio to be 
less than 10:1. 


Number of Imager 

L ‘_ 

One full frontal image 


Figure 6 Face 


Enrolment 

Face image capture 

Full frontal face image provides sufficient information for both h iman visual inspection 
(by operator) and autom itic face recognition algorithms. In order to obtain a good 
quality image, 24-bit eolcr in lage with minimum 90 pixels of inter-eye distance is 
required. The Committee recomnirnds at least 120 pixels for opt imum quality. The 
image should contain wcll-fccusec nose to ear and chin to crowr region. In special 
circumstances, assistance 1 m. iy also be provided but in no case si* ould the face or body 
part (hand, arms) of the assisting person or any object appear in the photograph. 
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Ofgitai/Pnotographic i equir ements 

in the typical enrolment setup, a computer will he connected to the biometrics devices 
to constitute the enrolment station. \ tethered biometrics device provides several 
advantages o^er a stand-alone device. First, it allows the images to be associated with 
enrollee demographic data at the point of capture, thus reducing possible errors. In 
villages where power source may be difficult to obtain, it is simpler to supply power 
horn the computer 

For capturing lace image, it is simpler tor the operator 10 adjust the camera instead of 
the enrollee to position himseH/herself at the right distance or in the right posture. The 
capture device should use auto focus and auto-capture functions. The output image 
should not suffer from motion blur, over or under exposure, unnatural colored lighting, 
and radial distortion Interlaced video frames are not allowed 


i-'Ojt: 

Face image should oe lull frenca! with 0°ofyaw, pitch and roll angles. However, m 
operational conditions, variation of ±5° is permissible. 

impression 

Expression strongly affects the performance of automatic face recognition and also 
affects accurace visual inspection by humans. It is strongly recommended that the face 
should be captured iv,th neutral (non-smiling) expression, teeth closed 2 nd both eyes 
open. 

.Humiliation 

Poor illumination has high impact on the performance of face recognition. It is difficult 
for human operators as well to analyze and recognize face images with poor 
illumination Proper and equally distributed lighting mechanism should be used such 
that there are no shadows over the face, no shadows in eye sockets, and no hot spots. 

Ey'O 

face images with and without eyeglasses may have an impact on face recognition. The 
impact is greater if the glasses automatically tint under illumination. If the person 
normally wears glasses, it is recommended that the photograph be taken with glasses. 
However, the glasses should be clear and transparent so that pupils and iris are visible. 
If the glasses are with tint, then direct and background lighting sources should be tuned 
accordingly. 

Access jries 

Use of accessories that cover any region of the face is strongly discouraged. However, 
accessories like eye patches are allowed due to medical reasons. Further, accessories 
like turban are also allowed due to ethical reasons. 

Multiple samples of face 

For visual inspection by humans, the single face image of a person is sufficient 
However, for de-duplication and authentication of individuals who do not have 
fingerprints, automatic face recognition is recommended. To perfoi in accurate 
authentication in such cases, capture of multiple face images is strongly recommended 
during enrolment. There should be three samples, out of which one should be frontal 
imagewith yaw, pitch and roll angle as 0°. The other two images should be left and right- 
semi profile with yaw as ±20° to ±30°, and the roll and pitch should be 0°. 
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Operational . 

Similar to fingerprints, the ;ing!e most important factor in oolaimn g better image 

quality is the operation process. WhUe there are many qualitative factors in designing 
good operational processes operator training and assistance are important for yie.ding 
good quality images. Operators will he trained to obtain the best pi issible face images 

that satisfy requirements. 

Segmentation »nd feature <xtr; :tion 

Segmentation and feature uxtnctior. are only required for automa te face recognition 
algorithms. The algorithms fir both .emain proprietary. 

Quality check , 

image quality is one of the most important factors for both human inspection and 

automatic face recognition algorithm is. The quality assessment algont.v.r. should encode 
parameters like illuminati m, pose, Mm, noise, resolution, interne distance, image 
height and width, and horizontal a nl vertical position of the face. The quality 
assessment algorithm should be used at the time of enrolment to letermine the quality 
score of the captured face image ami image is stored only if it meets a certain quality 

threshold. 

Storage and Compression 

According to Figures 1? nd il 3 of I! 0 face image standards, the performance efface 
recognition algorithms reduce signi ficantiy if the compression rai tor is greater t tan . 
Further, as mentioned previously, Uese are our national assets a io should becapmreci 
and stored for long-term lse. For o eserving the quality of image it is strongly 
recommended that uncompressed images should be stored in the database. 

Authentication 

The authentication process consist; of seeps similarto enrolmen . 

Image Caotore , 

image capture for 1:1 vei ificution should also follow standards fnr enrolment as domed 

earlier in this Section. 


Compression 

For verification, images with JPEG 2000 compression ration of 10 will suffice. As per ISO 
standards, the image size aft er compression should not be less tl tan 11 KB. 

Number of Images 

For both manual and automatic authentication, a single full frontal face „nage is 
sufficient. The captured mage should conform to the digital/photographic 
requirements and quality thresholds mentioned above in the enrolment section. 
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Fingerprint Best Practices 


>i imti i r V 

Figure 7 summarizes the key parameters for fingerpr int. The Committee further 
classifies the decision into . 

1. Standards based (SJ: Do (SO or other standard bodies directly provide available 
choices? 

2. Recommendation based (R): Are there studies that provide sufficient evidence 
for us to make an informed decision? 

3. Management judgment (M): Management decision based on project context. 
The remaining section has a brief explanation of each decision. 


Key Decisions 

Decision 

Type 

Summary of Decisions 

i 

i 

i 

Enrolment 



! 1 maize capture 



—t 


w ■ t ■—— 

Plain or rolled 

R 

Plain, live scan 



Number of fingers 

R 

Ten 


D^v 

— -- a -- 

ice characteristics 

s 

Setting level 31 or above, EFTS/F certified 


Quality check 

R 

■ 

Yes - specified as best practice. Avoid 

NFfQ quality 4 and 5 level fingerpi ints. 


Ooerational 1 




_ a — 

Assistance 

R 

Yes - Specified as best practice 



Corrective measure 

R 

Yes - Specified as best practice 


Stoi 

rage & transmission 



— 

H 

” — « ■ «■ —— 

Compression 

S 

Uncompressed image strongly 
recommended. Foi legacy reasons, 
lossless JPEG 2000 or WSQ compression 
accepted. _ 



Storage format 

S 

Per ISO Section 8.3. No deviation 
necessary 


" J 

Minutiae format 

S 

Per ISO 19794-2 No deviation necessary 

■ 


Multi-finger fusion ' 
algorithm 

R 

Recommended. Application dependent. 

An 

then 

ti cation 




--- -- 

Imaee capture 



4 

J 


•SJ-1,---— 

Number of lingers 

R 1 

No minimum, no maximum. Application 
dependent. Recommended as best 
practice 



Anv finger option 

M 

Yes. Recommended as best practice 


’ 

Retry 

R 

Maximum 5. Recommended as best 
practice. 

' 


/icp characteristics 

S 

Setting level 28 or above 

1 - 

Transmission format 

S 

Per ISO. No tailoring necessary 

- 

Compression 

S 

JPEG 2000 compression recommended. 
Compression ratio to be less than 15:1 

• 

| Minutiae formac 

s 

Per ISO 19794-2. No tailoring necessary 


e ~ i iiicoi pH its I 
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Enrolment 

The enrolment process can be broken down into image capture ("c ient ) and de- 
duplication ("server”) side coir.ponn ts. The client side captures tl e image, performs 
local processing and storage. The set 'er side receives the image, performs quality check 
and finally executes the computation t! intensive task of duplicate checking against the 

gallery. 


Ima„e capture 

During image capture, L ie lacturs to consider are: 

1. Type of image and number of fingers to eaptui e 

2. Device used for < api uriug the image 

3. Immedi ate processing iuclud .ng segmentation of slap, sequ mcmg of fingers, 
rotational co r rertm i and quality check of image 

4. Storage when the images need to he stored 


Plain or rolled 

The roiled image, common in forensic applications, contains twice as much information 
as the plain image. The plain image is easier to capture. A siap caps ure device can 
capture up to four plain fir ger i in or e scan The rolled image in contrast, must be 
captured one finger at a time. Uolleo images requires operator guiding the rolling of 
each finger. The operation difficulty m capturing rolled image rales out its use hi the 

U1D system. 


A lumber of fingers 

In general, every additional finger increases accuracy and improves matching speed. 
Quality of finger image among the fingers is correlated. Still, two poor quality finger 
images are belter than one pool quality finger image. Considering the fingerprint 
quality of rural workers, tie Committee recommends capturing p ints of all ten fingers, 

the maximum possible 


Device characteristics 

Device characteristics cover scan resolution, pixel depth and dynamic range. A high si 
resolution device does no : necessarily produce better images 6 . The biometrics sample 
captured during enrolment needs t;,- be the best sample possible. Therefore following 
best practices of leading countries, 1 he Committee recommends t le use of EFTS/F 
certified devices that operate at levn! 31 or above. 


Capture & quality check 

Once the image has been raptured, one can perform basic quality check and image 
improvement. The enrollue must 1>:* asked to retry enrolling if the image quality is poor, 
The algorithm can assign image quality score. The quality threshold score is an 
important decision. Images captured with a NIST Fingerprint Image Quality (NFIQ) 
value of 4 or 5 normally should not be used for enrolment purposes. 


6 It should be noted that l wo devices with identical scan resolution, pixel depth and 
dynamic range do not provid e sirnJar quality images. A number \ >f laboratory tests have 
shown that a 500 dpi device from one vendor performs better th in a 1000 dpi device of 
another vendor. Nevertheless, those attributes are the only transparent way to specify 
the minimum device requirements 
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Operational 

1 he single most important factoi in obtaining better image quality is the operational 
process. While there are many qualitative factors in designing good operational 
processes, the following have been shown to critical factoi s: 

1 . Operator Assistance: Operators will be trained to guide the enroliee's hand and 
apply pressure if necessary to obtain best possible image quality. 

2 . Corrective measures & retries: If the initial capture is unsatisfactory, the 
opera tot w if! be trained to prov.ie corrective measures such as wiping fingers 
with a wet cloth ot applying lotion. Only after ail such measures are exhausted in 

five attempts, will the operator be abletoovernde the (forced capture) quality 
gate. 

>io: .-rid 'irartsmiSMun 

Once the quality check is complete, the image needs to be retained. The data format of 
storage should be such that ether applications can access the data. 


'‘V 'Ion 

Biometnc data are national assets and should be captured and stored for long-term use. 
To preserve the quality, the Committee strongly recommends uncompressed images. 
Transmission of images may be made in JPEG 2000 or WSQ lossless compression for 
legacy o- compatibility purposes. Any form of lossy compression is not accepted. In 
uncompressed mode, the coca! stcrage required for the entire population is 10,000 T3. 

Sioray* formal 

ISO standard prescribed format is sufficient for our needs. 

Dc-duplication minutiae format 

The minutiae representation has been standardized. However, the standardization 
allows vendor proprietary data fields. The trade-off is between performance and 
accuracy dirough enhanced minutiae data versus higher level of vendor dependence. 
Based on the accuracy and performance trade-offs reported by NiST, it is acceptable to 
use the proprietary format of the extractor-matcher of the vendor selected for de- 
duplication. 

jvuili'i-tinger fusion 

Different algorithms are available to obtain consolidated score [7] and [28]. The 
selection of the algorithm will make material difference to the overall accuracy. ISO and 
otiw bodies do not make recommendations, nor do they provide empirical study. The 
U1DAI will conduct its own analysis to identify the best multi-finger fusion algorithm. 

Authentication 

The authentication process consists of steps similar to the enrolment process, but its 
requirements for accuracy, performance and interoperability are different. Since the 
authentication process is performing 1:1 verification, the captured image may be of 
lower quality compared to die image captured during the enrolment process. 
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Image capture 


Number of fingers 

It is obvious that a fewer number o! mgers should be required for verification to 
achieve a satisfactory accuracy targe.. A single linger will be sufficient to provide the 
minimum standard of accuracy requirements. Applications requiring higner levels of 
accuracy may need additio ml linger , 


Any finger option 

The normal practice is to u?e one specific linger, say the index fing?r for verification 
However, current technology could allow the person to scan any fi nger. , his is not 
merely a question of convenience Ttain fingers, depending on tf e cond?iion of the 
finger, will perform betcer in matching. Whle one cannot easily determine this a priori, 
any frequent user will Uar i it by c>\ erience. This improves subse juent user experience 
and could potentially irnpi ove match accuracy. 

Retry 

The decision on number oJ retries incs different implications during authentication. In 
case of enrolment, the final decision is to take the best possible image. The operator 
can thus "force capture ', In case of authentication, die operator needs to find an 
alternate method of authe ideation :l fingerprint verification fails. The ^ 

operator/application vrou d not know the cause of verification fai ui e. The failure coula 
be because the fingerprint did not 'natch or image capture did not produce sufncicht 
quality image for matching. In both « nses, the match score is low enough for the system 
to declare "no match". A ti neout wi i bp implemented in service alter five attempts. 

Device characteristics 

Device characteristics oovsr scan resolution, pixel depth and dynamic range. Higher 
resolution does not necessarily pro Jvice better images. Considering the U1DA1 s goal of 
making authentication ub.quilous and the availability of low cost new technology 
devices, the Committee has defined, a new standard for the scanner used in the 
authentication process. It is envisioned 1 hat *ne UiDAi will provide certification criteria 

for this standard. 


Transmission format 

The captured image need:; to be sc (it to the UID server for matching in real time, Two 
factors will decide the for mat of the image to be sent. If the transmission bandwidth is 
low, it is prudent to send as little data as possible. On the other h<nd if the computing 
device associated with thu capture' device has very limited processing power, it is 
prudent to do minimal amount of local computation. In the first case, the transmission 
will contain extracted minutiae. lr (he second, it will contain the compressed raw image. 
For example, a capture device connected to a computer communicating over a mobile 
network could send minutiae by performing local extraction. A dedicated image capture 
device with built-in network conne rtivity (s able to do little local processing and ma} ; 
send raw image. 

The UID software will support rav/ image format, compressed image format as well as 
ISO standard minutiae formal* to hr transmitted, in order to prov de maximum 
flexibility during authentication. I: is understood that raw or corr pressed image will 
give a higher level of accuracy 
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Corthpt Cl >KJ ft 

If die raw image is to be sent, JPEG 2000 compression is recommended, WSQ 
compression may be acceptable for legacy purposes. A compression of up to IS is 
acceptable. While uncompressed image will be accepted, it is not recommended. JFEG 
compression is not accepted. There is sufficient data to indicate that compression ratio 
of 15 does net affect verification accuracy Compression is not relevant if minutiae data 
is to be sent for verification. 


ivlinuhan format 

As discussed in the previous section, the biometric sample being transmitted could be 
minutiae data or image. If the data is minutiae and the U1D server has matcher that best 
pairs with die extractor used by the authenticating agency, it will use the proprietary 
data. If the server does not have matching matcher, it will only use "standard" minutiae 
data. 
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Iris Image Best Practices 


Compared to fingerprinting, iris capture i< less studied and less standardized^Fo 
e arnplp fingerprint set »n -s ire tu ted end certified per EFT S, F .tandai u. No such 
equivalent ins device ce itilical ion is available. His necessary to pr rvide greater number 
of parameter specification? to I’nsuri' quality iris capture. 


Figure 0 summarizes key decisions fur U1DAI iris design. 


' 
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Enrolment 


Two eyes > 140 p>xel in.age diameter (170 pixel 
preferred), image margin 50% left and right, 25% 
top and bottom of iris diameter 

T 

-1 

1 

image 

P 

i 

"Device Characteristics 


Tethered, autofocus, continuous image capture, 
exposure < 33 nnlii-secmcl, distance >300 mm for 
operator control, > lOOmin enrollee control 


Operational 

~~ mVr 

Operator controlled stn inglv preferred. No direct 
natural or artificial ligh 1 reflection in the eye, 
capture location: indoo '. 


Quality Assessment 

R 

Per IREX 11 recommendations 7 

—... ■ ■ 

Compression & Stcrago 

~~... s 

ISO 19794-6 (2010) da a format standard as 
tailored ir. Section 11. 

JPEG 2000 or PNC lossless compression, KIND.VGA 
of Table A.l of ISO 197' >4-6 (2010). 

Authei 

ntication 

B, S 

Same as enrollment ex. ept 

One and/or two eyes 
jPEG 2000 

KIND.CROPPED of Table A.l 


Figure 0 Iris 


The remaining section has a brief explanation 


of each decision. 


7 [REX II study conducted by NIST will be published in April 2010. It will provide 
definite empirical result of impact of image quality on matching accuracy and spee . oi 
fingerprint the analogot s study n suited in creation of NFIQ, NT IT Fingerprint Image 
Quality algorithm. IREX (I will be n normative annexure to ISO 19794-6 (2010). 
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UirOi)'V;li • 


J1 t r » 1 «»\ „!_■«* 

Capture of two eyes simultaneously provides several advantages 8 . Iris pattern of each 
eye is not correlated, giving two independent biometric feature sets, k assures correct 
assignment of left and right eyes and allows for more accurate estimation of roH angle. 

iri oidei to obtain good quality template, the iris image diameter should be minimum 
140 native pixels The Committee recommends 170 pixels for optimum quality. 


In cider to retain sufficient image surrounding of the iris for the purpose of identifying 
die left or right eye as well as for a more accurate ins segmentation, the margins around 
the iris portion of die image need to be at least 50% of the ii is diameter on the left and 
right s'des o» the image, and a least 25% of the iris diameter on the top and bottom of 
the image. 


Device Ln a ra ci erPtic\ 

In the typical enrolment setup, a computer will be connected to the biometrics devices 
to constitute the emoiment station. A tethered biometrics device provides several 
advantages over a stand-alone device. First, it allows the images to be associated with 
the euroliee demographic data at the point of capture, thus reducing possible errors. In 
villages* where a powei source may be difficult to obtain, it K* simpler to supply power 
from the computer. 


iris capture is a new experience for the public(34j. It is faster and simpler for the 
operator to adjust the camera instead of the enroliee positioning himself/herself at the 
right distance or in the right posture, it is recommended that the capture device should 
be more than 300 mm away from the enroliee to be considered non intrusive. The 
capture device should use auto focus and auto-capture functions. In special 
circumstances where the enroliee has to position himself or herself, the capture device 
should be more than 100mm away but the device should use a visor or other 
mechanical alignment aid to enable the enroliee to position themselves. 


In order to provide an acceptable level of usability and ease of alignment, the camera 
must allow for some variability in the position of the iris center relative to the camera. 
This variability is defined by position tolerances in the horizontal, vertical, and axial 
dimensions that together define a volume (the "capture volume"] within which the 
center of the iris mustbe located in order to enable image capture. For two eye capture 
devices, the capture volume dimensions for devices without mechanical alignment aids 
are 19 mm wide, 14 mm high, and 20 mm deep, and for devices with such aids, 19 mm 
wide, 14 mm high, ami 12 mm deep. 


The ability of an iris image capture device to suppress motion blur and to freeze motion, 
is a function of exposure time. The maximum allowable value for the exposure time is 
less than 33 ms, recommended being 15ms. 


The iris image capture device must be capable of capturing light in the range of 700 to 
900 nanometers. The camera s near infrared illuminator^) must have a controlled 
spectral content, such that the overall spectral imaging sensitivity, including the sensor 
characteristics, transfers at least 35% of the power per any 100 nm-wide sub-ba^d of 
the 700 to 900 nm range. 


8 Material derived from [32] 
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The iris image capture sens or shall u le progressive scanning. 

In order to achieve acceptable time-'o-capture and FTA rates, the ris image sampling 
frequency must be at least .'I frames per second. 

The capture devices typically p-ovicl. infrared lighting using LEDs to illuminate the ms. 
The illumination > in a range partly visible m the human eye. Illumination shall be 
compliant witn illumination standard lEC 0'.iS-3 and safety specifkat’on .oO 608- 

in order to achieve acceptable recog lition accuracy, the iris acquisition sensor must 
achieve a signal-to-noise ration of ai least 36dB. 

Within the frequency range of mteve-n 708 to 900 nm, the iris sen-.or shell generate 
images with at least e bks per pixel 

Operational consideration? , , .. 

As mentioned earlier, it is; trongly p -commended that the operato r an ^ not the en r o - 

nandle the capture device. The enrol lee v.iil be reauiied to sit (or < an } in 
position, like taking a portrait photograph; the operator will adjus the camera. 

The iris capture device or Ihe connoted computer shall be able to measure the iris 
image quality. The test practice recommendation is that an initial image quality 
assessment should be done to provi Me feedback to the operator during tne caP 1 *™ 
process. The device shouic alert the opei ator if the captured ms l) nage is of insuf lcie 

quality. 

The iris capture process is sensitive :o ambient light. No direct or artificial light should 
directly reflect off enrollet’s eyes. 

Segmentation and feature extraction IDCY cfll j v 

Segmentation and feature extractio . remain proprietary As repo, ted in the IRE<_study, 
the vendor providing segmentation loes not have to be the vendor providing matching 
algorithm, ir. fact. bes. ofi.ieed selection appear to ue superior to any single-ven 

solution. 

Quality assessment , 

It has been noted that image quality is the single most important: actor for mate i 

accuracy. IREXII study is anderwf y to quantify and provide best practices^ 
recommendations on the mage quality. The report, expected in April 2010, will become 
the normative annexure t) ISO 19704-6 (2010). Therefore the Committee will defer 
detailed quality recommendation? until mibl.ication of the standa ;d. 

One method widely used or ensuri lg good iris images is recomn- ended here. An ris 
camera takes streaming images. U irecommended that the devu e take successive 3 o 
7 images and use local matching algorithm to match them agains' each other (after 
feature extraction). Tfe image is considered to be of satisfactory luality if hamming 
distance of the match >s below 0.1. 

Compression and store ge . ,, 

The iris images, like fingerprints are considered to be national assets. They should be 

stored in ISO standarc format using either ]PEG 2000 or PNG lossless compression 
(KIND_VGA). It is expe cted that e;- t:n enrollee will require ISO Kt ytes of storage space, 
thus requiring total storage space of 200 Terabytes for the entire population. 
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uh3 


VjthciUicauon 

For 1:1 verification, any one eye will suffice, though application may require higher- 
level assurance whereby both eyes can be verified. Iris verification requires the image 
to be sent to the server for matching. It is recommended that the image be compressed 
to KlND_CPOPPED_AND_MASKED or KlND_CROPPED using JTEG 21)00. Resulting image 
size will between 2KB to 10 KB. Any of the larger foi mats specified by the ISO standard 
are acceptable, though not necessaiy. 
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Biometrics Accuracy 

The consequences of FAR md FRR tlurinfj authentication ate cental to the judicial 
aesign ot the UID system. b'AR determines potential number of duplicates, FRR 
determines number of enrolments necessitating manual check, he nee labor cost. While 
trade-off between the * wo rates is :i Jtamly possible, there are up >er bound 
requirements for each. Upper bou.i. ’< for each rate is set at 1%. 


No empirical study is aval able to estimate the accuracy achievable for fingerprint under 
Indian conditions. Indian condition •. are unique in two ways: 


• Larger percentage of populai ion is employed in manual laoor, which normally 
produces poorer b ometric s umples. 

• Biometric capture process ”i rural and mobile environment is less controllable 
compared to the eiivironme ital conditions in which Western data is collected. 

To estimate achievable accuracy under Indian conditions, follow, lg methodology was 
employed: 


1 . 

2 . 

3. 


Estimate achievable accuracy under Western conditions for a one billion sized 

database. , 

Estimate differenc; in image quality between Western ano Indian conditions. 

Using image quality, estimate change in achievable accui a .y undei Inciiap 


conditions. 

There is no indication to believe tint iris accuracy changes from one racial/geographical 
population to another. However, nr- definitive study is available. 


Step 1: Estimating achievable accuracy 

NIST reports FAR of 0.07% at FRF. 4.4% for 6 million Fingerprint gallery size using two 
plain fingers j 21]. Similar results were reported for FBI’s IA FIS System of 46M samples. 
It is safe to conclude that 99% ac(i:" a cy (TAR) can be achieved fer database size of 50 

million. 



Thresholds 
1300,1880 

Thresholds 
1400, 2025 


Shape 

Filter 

FAR 

TAR 

FAR 

TAR 

Match ss per j 
Second i 

Off 

0.30% 

96.3% 

0.07% 

95.6% 

734K | 

■ 3 

On 

0.32% 

96.1% 

0 07% 

95.5% 

103 5K j 


Figure 9 Two-finger identification accura: 

Several NIST reports tHow u s to es tirnate the scaling of above da ta for larger gallery 
size and for ten fingers. 

• False Acceptance Rat 3 is linear! y proportional to gallery size at constant TAR as 
shown in Figure 11. 

• False Rejection Rate does not vary over gallery size as showr in Figure 12. 

• Based on these findings, one r«,n expect that on a database si ;e that is 200 times 
larger (1.2 billion versus 6 million), the same system will hat e an FAR of 
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appi oximately 0.07*200 = 14%. The FRR can be expected to be about 4% based on 
matching of 2 linger plain fingerprints. 

* Figu'-e 10 lists effect on FAR by increasing the number of fingers for the same FRR 


[221 


Number of Fingers 

FRR % 

1 

-AR % 

2 

10.3 

29.2 

10 _; 

10.9 

J 

3.0 j 


1 t ut. u) Ut jUuv m Hiuliiplr liupci ^ 


*4 Based on the above and reviewing unde dying data, one can ballpark a 1,000 
improvement in FAR between two-finger matching and ten-finger matching (ali 
other things being equal}. So die estimated FAR estimate of 14% should be expected 
to be 1,000 times less, that is, to 0.1 Wo at FRR rate of 4%. Using further 
conversation factor of 10X change in FAR results in 2X change in FRR, this number is 
the equivalent of FAR 1a% at FRR rate of 2% (a other words, NIST data indicates de- 
duplication accuracy fFAR) greater than 95% is achievable tor ten-finger matching 
againsta database size of one billion. 


0.0005 
0 00045 
GC004 
0CDC35 
, 0 0003 

< 0.00025 
0 0002 
0 00015 
0.0001 
0 00005 
0 



—TXOPS 
INS10 
INS ben 


‘ lj-i.re 


gallery size {thousands) 

FAR as ftuictuir oi sue 



TXDPS ■ 
INS10 
INS ben 


0 


200 


400 


600 


800 


1000 


1200 


1400 


gallery size (thousands) 


Wi^v., c U 1 . i AU ;is Imrciujit oi i*aUen sht* 


UID Biometrics Design Standards 


4 5 of57 





Step 2: Image quality difference 

♦ 

It has been shown that match rates accuracy rar be estimated from the fingerprint 
image quality score. NISI classifies iu ores into five bins. Western d «ta accuracy rates roi 
the bins are shown in Figure13. Bins 1 and 2 are nearly identical, producing close to 
99% true match in 1:1 verification. Bins 4 and 5 result in unaccept; bly low true match 
rates. Of particular no^e is tin f, wh»< h could result in as low as 80% match rate (or 
?0% false accept rate). 
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tigure 13 Accuracy Range bj iin; gc quality 


In a "typical" sample analyzed to an ive at the above rate[24J, NIST has bin distribution 
shown in Figure 14 and Figure 15. bins 4 and 5 in both datasets are less than 5% of the 
total sample. 
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[•iji.s.'- Ground Conditions 

The research team at HIT Delhi focused on the ability to leverage image quality 
assessment tools in (L) analyzing the input biometric samples that are obtained from 
diverse, disparate sensors and (2) characterizing the samples based on the quality and 
amount of information present. Using three fingerprint databases, fingerprint image 
quality based experimental evaluation was performed. 

1 . DB1. This database contains images from 2? urban individuals (or 1350 images) and 
81 rural individuals (or 1620 images). This database is prepared using single 
impression sensor meeting-FIPS 201APL and FBI Image Quality Specifications. 

2. DB2. Images captured using slap scanner. This database contains slap images from 
over 20,000 individuals. Each slap fingerprint image was segmented using a 
commercial segmentation tool. After segmentation, the database contained 200K 
images. The four-finger slap sensor was EFTS/F certified and operated at level 31. 

3. D83. Pre-segmented rural slap database pertaining to about 5600 individuals 
(around 56,000 images). The four-finger slap sensor was EFTS/F certified and 
operated at level 31. 

Using DB1, experimental test bed and statistical tests were prepared, followed by 
evaluation using DB2 and DB3. Using NIST provided Fingerprint linage Quality software 
(NFIQ), images were classified in to bins according to the image quality score. The bin 
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distributions for Indian databases an.: shown in Figure 16 through Figure 19. Of 
particular interest is significantly large bin 4 & 5 numbers for DB2 as well as DB1 rural 
sample, in contract, Dili, another ru al area shows exceptionally high bins 1 and 2. 



Figure 16 Image quality score attribution r .* Urban sample 




Figure Ifl Image quality di.« trihutiou foi PUZ 
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Comparison & quality estimates 


Since, D132 and DB3 databases have only a single impression per finger, it is impossible 
io compute ROC or CMC plots and compute recognition accuracies. However, using 
existing Western iesults[24], it is possible to closely predict the expected fingerprint 
recognition performance. 


Figure 20 and Figure 22 compare quality of left and right index finger respectively. 
Ag?msty axis of accuracy (FAR), it shows cumulative bin score . Line over the Western 
curve (blue line) indicates that expected accuracy of the sample will be better than that 
of the Western population. Any points below the Western curve indicate that expected 
accuracy of that sample will be worse than the Western population. 


DB3 shows quality superior to Western image quality while DB2 shows significantly 
inferior quality. While both samples are from two different rural areas of two different 
states, the expected accuracy is vastly different. 
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Conclusions ; 

NFIQ results on the databases seem to be encouraging especially if the fingerprint 
images are captured using good operational processes. Foi the majority of images, 
quality scores vary from excellent to good. Using these images, the typical performance 
of fingerprint feature extraction and matching should meet expectations Therefore, to 
achieve good recognition accuracy, good quality images should be collected using 
optimized operational mechanisms and good sensors. 

* The UIDAl can achieve fingerprint accuracy of a quality similar to developed 
countries. There is good evidence to suggest that Indian rural data may be as good as 
developed country settings when proper operational procedures are followed and 
good quality devices are used. 

* It is possible to closely predict the expected fingerprint recognition performance. In 
the experiments, it is observed that, at 95% confidence, DB2 is expected to show 
lower accuracy compared to the Western data whereas DB3 is expected to achieve 
similar accuracy (for Q = 1, 2, and 3,99 b /o TAR with about 1% FAR]. 
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It is believed that DB3's improved image quality is due to bettei operational 
procedures. A few simp e methocs were used in DB3 data collection, such as. 

1. Using wet towels to remove dirt and moisten dry fingers 

2. Using minimum quality threshold to ensure that extra efforis are made to 
capture good prints from hard to obtain fingers and 

3. Keeping scanning devices in operational order 

These resulted in exceptionally good, bin 1 and 7 distribution. 

it is also observed that Jhe slap fingerprint segmentation tools squire some prior- 
training for Indian databases. A ft er some training, segmentation results improve by 
2-3%. This also suggests that in deploying a biometrics (fingerprint) system, a 
carefully designed a nrori training set and procedure will help in improving 

performance. 

Since NFIQ tool is trained using Western data, there are around 4-5% errors in 
correctly assigning the quality ‘.cores in the Indian fingerprint’.. It mig it e possi e 

to tune the tool to Indian data. 

When the fingerprint images in I >131 (rural and urban setting), specifically those 
causing errors were ar alyzed, it was found that there are som< • specific causes that 
are more relevant in tf e Indian :,ub continental i eghn compai ed to Western an 
European countries. Ltwsonia im rmis (commonly known as \ enna or mehandl) can 
cause significant differences in the quality of fingerprint images. Widely usea by 
women in the Indian s ill-continent during festivals, henna is appliec on 
hand/fingers and whe l applied, fingerprint sensors may not p roperly capture 

fingerprint features. 

• On analyzing the quality d istrili Jtion of each finger in every age group, it is difficult 
to generalize little fingers as useful or not. Similarly, it is not possible to generalize 
that, a particular age group or gender conforms to lower or hi ;her quality scores 

and hence better/wor>e perfon n?nce. 

Finally, it is strongly rocommendec that carefully designed exper.ments and proper 
statistical analysis under pilot should be carried out, to formally predict the accuracy o 
biometric systems for Indian rural .md urban environments. 




Face identification 

Face image, uncorrelated to fingerprint image, can be utilized in two ways. Face image 
can be independently matched using automatic matching algorithm and the results 
fused together to achieve higher net accuracy. NIST reports improved accuracy using 
fingerprint and face image score fusion [28]. It should be noted that face image alone 
provides low accuracy rate. A more practical method is hierarchical matching where 
false match rate can be improved by comparing face images of si spected duplicates 
obtained in fingerprint ir atching. 1 a the former, the entire database has to be used as 
gallery, making the matching prohibitive!/expensive, in the late \ gallery size is smal , 
typically 1% of database. The hierarchical method improves FRF (which reduces 
manual duplicate check) but doe? not directly improve FAR (wh ch results in duplicates 
in the database). Howeve r, one er r. trade off FRR to improve FAR. 
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iris lias been shown to provide accuracy comparable to fingerprint. NIST Iris test 
provided accuracy rates shown hi Figure 24[10] T. Mansfield of National Physical 
Laboi alory [33] reports low FAR for small sample 
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Fused Accuracy 

A large body of literature documents the benefits of information fusion in a variety of 
fields including search, data mining, pattern recognition, and computer vision. Fusion in 
biometric is an instance of information fusion. A strong tlieoi etical base as well as 
numerous empirical studies has been documented that suppoi t the advantages of fusion 
in biometric systems [1]. The main advantage of fusion in the context of biometrics is an 
improvement in the overall matching accuracy. Depending on the fusion method, the 
matching speed may also be improved significantly. Dr. Phalguni Gupta and his team 
report a study of fusion of fingerprint with iris [7]. They show a substantial 
improvement in matching accuracy by combining one iris with one finger. There is no 
empirical data available for Indian conditions though there is strong theoretical 
evidence that among all economically and technically feasible biometrics modalities. 
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N ews » Cities » Coimbatore 


Published: October 3 L 2011 10.08 1ST | Updated: October 31, 2011 10:13 1ST COIMBATORE, October 
31,2011 


Aadhaar card must for LPG refills 


V. S. Palaniappan 

Share ■ Comment (191 • print • T+ T+ 


Consumers to be given time to comply with Ministry order 


The Ministry of Petroleum and Natural Gas lias brought in an amendment to its Liquefied Petroleum Gas 
(Regulation of Supply and Distribution) Order 2000 making the Unique Identification Number (UID) under the 
Aadhaar project must tor availing LPG refills. 


The move is aimed at preventing multiple connections and availing cylinders in third party name and to clean up 
the LPG consumer base, as tire government was spending heavily on subsidising the domestic LPG cylinders. 


With people not showing keen interest in availing the UID or Aadhaar cards, the move of the Petroleum and 
Natural Gas Ministry is expected to increase the enrolment for Aadhaar. 

The Ministry in its circular dated October 13, 20 i 1 has announced the amendment to the LPG Regulation of 
jpt Supply and Distribution order 2011. The Ministry 1 s decision to make Petroleum Coiporations sensitise 

distributors on Aadhaar card for availing refills lias been published in the Gazette of India vide notification dated 
September 26. 

The order has come into e fleet from the date of publication of the gazette notification. 

The decision to make Aadhaar UID mandatory has been taken by exercising powers conferred under Section 3 
ofthe Essential Commodities Act of 1955 (10 of 1955). 

The amended order reads as follows: No distributor of a Government Oil Company shall supply LPG cylinder to 
any household unless the head of such a household furnishes Aadhaar number of each member of his or her 
household to the distributor within three months from the date of notification of such area. 
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Notification of such area means an area notified for enrolment for availing Aadhaar number. Many major towns 
io^Vestern Tamil Nadu came under Aadhaar enrolment notification in June and July of 2011. / j £ 

Officials of the Oil Corporations in Western Tamil Nadu when contacted said that distributors had been asked to 
sensitise consumers on the need for availing the Aadhar number at the earliest for availing uninterrupted supply of 
LPG refilL 


Consumers will be given reasonable time to comply with the directive. 

Keywords: LPG supply . Aadhaar card 
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shodage hits Aadhaar enrolment 

TOPICS 


India Tamil Nad u 

_ Comments: 

Sr, Recently only Aadhaar-card is being spoken and hardly a very few are aware of this card. The Government 
has not taken swift action to educate the importance of this in urban areas, how could they effective action 
against LPG refill supply. It is going to create hardship to the public at large. Like Ration card Government 
should go about canvassing house to house before implementing actioa 

from - RamachandranJ 

Posted on: Oct 31, 2011 at 19:07 1ST 

The process of taking the sick and very old people to Aadhaar centres is going to be an extremely difficult task. 
Hence Aadhaar numbers should not be insisted upon for the gas connections owned by them. 
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from; Devarajan 

Pasted on; Hov 1, 2011 at 02:15 1ST 

The report would have been more complete if only the details of the areas in Tamil Nadu,so fer notified, had 
been listed out. Can you please carry this ii'tfc >rmatl0n 111 V 0lLr publication ? 

from V Gumptasad 
Posted on: Hov 1 ,2011 at 06:421ST 

I had fixed up appoimmsnts for my Aadhar Card wih M/siKary Consultants, T Nagar Ctennai for the 15* 

Sent When I went to their oEce at the scheduled lane witkmy wife, they mfcnrcd me that there were some 

iJhnical issues and would call us back after 3-4da^. It is« and a hlafmonths since and we are yet to be 

c Vo rarHv» m-niect- The Government is doing its maximum to inconvenience the 
called. This is the state of affairs 01 the piQJ° e 

common man. We suffer in silence. 

from P M Vijayaraghavan 
Posted on: Nov l. 2011 at 06:44 1ST 

Here we go attain! What is wrong with the oil markehng companies - why do they keep inventing tew ways to 

Os'rass the consumers? The trouble we were all put 10 a ft* years ago when they inststec on ration cards .c 

... r , • m .. mind because k involved running from pillar to post to get a ration caid 
identity 'genwne' user * stdl fch in my ^ ^ ^ ^ fc; cut downlhe ^ of ^ 

just to make a cup of vO ee ark. and Thi should make plenty available to all of us - common 

cylinders and connections given to all f 

tax-paying c it ire ns without strings and 'cooi^ eC 10112 

•% 

f* 

from Vjchitva PK 

Posted on: Nov 1, 2011 at 12:51 1ST 

i once a year, where would I get my gas cylinder from? To have to get 

As anNRI who comes home on v. fct of coffee b a fcw iays if™, 

an Adhaar card M and men book for a cy rf ^ J 

weeks. Is there no other way to rlenufy *= ^ wh ere customers rced to pay a higher price for LPG 

How would this effect the new pricing p ^ A(|haar cards fcr that as well 9 The more control you 

. vlinders bevond the subsidized quota? Lf° . . ... 

t^ybiu . „ become to corruption in a country lilce ours. 

bring into the system, the more prone we 




from Mathew PG 

Posted on: Nov 2,2011 at 09 :r 1 1ST. 

, . rf . n ge for awarness programme before implementing for any availment 

govt should give more information and arrang p 

of the commodities, 
from sertfhiflcumar 

Posted on: Nov 2, 2011 at 1123 1ST 

JL . is being issued to Chennai city and if so who is to be contacted. Such 

It is not known whether Aadhaar numb ^ ^ ^ ^ posted b Aadhaar web site . it appears if this trend 

details are not known to pubhe through Mdhaai nunlber to aU Indians. 

continues, it may take several years to iss 
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from; R.Ganesan. 

Fasted on: Nov 2, 2011 at 18:34 1ST 

Govt, very stow and not much interested in making public for Aadhar. How many advts are released for Aadhar 
?. First move should be made by the GOVT for publishing this and it should be made mandate.Very good 
initia tive taken by govt, but very less awarness in public because no one knows where we get this and how to get 
it and what ate the advantage-or necessity of getting this cards. 



from: Venkatesh 

Posted on: Nov 3, 2011 at 16:11 1ST 

Wfaats die difference between Aadhar & UID? (This is the state of affairs in the common man's mindset now). 
Advertisements on a major scale is needed before implementing any new laws. Common man should not be 
aifected. Why not government embrace the power of IT? So, people can still carry on their- normal lives and also 
conplete the formalities to get this card be it UID or Aadhar or Ration or PAN or Aavin card or whatever. 


from: Ram 

Posted on: Nov 4, 2011 at 13:10 1ST 


a Aadhar card issuing audionties should be join a position to utilise the list of residents with election commision 
authorities and the aadhar prepared in accordance with that hi advance and and recjuestthe residents to come 
and collect it. Under any circumstances the culture of come-tommorow should be avoided by concerned 
authorities,and avoid putting elders in difficulties. 


from C.K.Pandarinathan 

Posted on: Nov 7, 2011 at U .40 1ST 

\ 

really tine government is harassing the oid people, sick people and those who aie tenants having no registered 
rent agreement but having unregistered rent agreement.. 

from MSubramanian 

Posted on: Nov 9, 2011 at 11:59 1ST 

Aadhar card should have language of choice of the people and not Hindi alone. This should not be used as 
another political or discriminatory tool by the central government. 

from Selvan 

Posted on: Nov 10, 2011 at 16:35 1ST 

Making UID cards mandatory is not foil because the ration card which is a valid document has been in force to 
get an authorised domestic connection. Further, why make the life of the comman man and the regular honest tax 

assesse ail the more complicate ? 


from hema ravi 

Posted on: Nov 15, 2011 at 15:21 1ST 

I don't see any reason why NRI is making fuss about this arrangement. In our country each and ewy rule 
brought by the beauracrats is to make money. If you pay extra 50 Rs, even the CEO of oil company will deliver 
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the cylinder to your door step with utmost respect, in a highly corrupted India. All rules and laws is only to j 
torture the havenot's not for rich people. 


from: R.Manivarmane 

Posted on: Nov 15,2011 at 16:15 1ST 



Where and how to apply Aadhar card for Pallavaram area (Kancheepuram District) 
from: R. Nisha 

Posted on: Nov 16, 2011 at 12:37 1ST 

Why should I go for Aadhar card when I have several ids Including passport...have we 
not lived with ration card as if all these years? Govt is getting rotten day by day. 
making avenues for fresh corruption to happen. Has the bill been passed by 
parliament on LTD as yet? Important concern is U1D is going to destroy the ape old 
public distribution system 


from Bhargavi 

Posted on: Nov 24, 2C11 at 19:09 1ST 

Dear Sits, I think (he government can introduce another rule to prod'ace your Aadhaar card even to get your 
monthly salary from your employer!. Can we destroy our Ration cards after receiving the Aadhaar cards? as 
nowadays one cannot aftbrd to maintain TWO Wives. Krishnamoorthy 


from K rishnamoorthy S 

Posted on: Nov 26, 2011 at 12.06 1ST 


there is no point in making it mandatory for Ipg issue since many districts in tamilnadu lias not been issued with 
aadhar card/number, can anybody produce a document when the same has not been issued at ail 

from a.mahadevan 

Posted on: Dec 7, 2011 at 1125 1ST 
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! 2. Comments that are abusive, personal, incendiary or irrelevant cannot be 
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j. Please write complete sentences. Do not type comments in all capital letters, 
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i 4. We may remove hyperlinks within comments. 
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(For DDOs who hav* entered full/partial data In Sevaarth) 


Treasury Code ^4 Digits) 
DDO Code (6 Digits) 

Scheme Code 
(8 -Digits) 


Treasury Name 
DDO Designation 

Scheme Details 

Scheme Description 

Employee Detai ls 


No 


Name of Employee Sevaarth Code 
(BLOCK LETTERS) (11-Digits) 


Enrollment Number (KID) 
(28 Digits) 
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Name of Employeo Sevaail li Code 
(BLOCK LETTERS) (11-Digits) 
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IN THE HIGH COURT OF JUDICATURE AT BOMBAY 

ORDINARY ORIGINAL CIVIL JURISDICTION 
PUBLIC INTEREST LITIGATION NO. OF 2012 


Vickram Crishna & Ors 


... .Petitioners 


V ersiis 


Unique Idemification Authority of India & Ors. 


Respondents 


AFFIDAVIT IN SUPPORT 

I> Vickram Crishna, the Petitioner No I above named. 

* 



residing at A-3 1 , Queens Apts, Pali Hill, Bandra, Mumbai- 400 050 
do hereby state on solemn affirmation as under: 

1.1 say that I have filed the above Petition for the reliefs more 


specifically set out in the Petiiion. 


2.1 repeat, reiterate and adopt each and every statement in the Petition 
as if the same were set out herein and form a part of this affidavit. 

I crave leave to refer and rely upon the Petition. 

3.1 say that if the ad-interim reliefs are not granted., grave loss, harm, 
injury and prejudice will be caused to the Petitioner and if granted, 

no loss, harm, injury and prejudice will be caused to the Respondents. 



4. I, therefore, pray fiat the Petition be made absolute with costs 


and ad-interim rel iefs may be granted. 


Solemnly affirmed at Bombay 
Dated this /<f ^tay of January ,2012 


Identified by me 



MIHIR DESAI 


Advocate for Petitioners 



I Petition :r No 1 

y 




tfW u».£ 
ryi ;v;r nr^n^r 


Before me 



IN THE HIGH COURT OF JUDICATURE AT BOMBAY 

ORDINARY ORIGINAL CIVIL JURISDICTION 
PUBLIC INTEPEST LITIGATION NO. OF 2012 ' 


Vtckram Cristina & Ors 


.. ..Petitioners 


\ ersus 

Unique Identification Authority of India & Ors.... 


Respondents 


To, 

The Prothonotary & Senior Master 

High Court, O.O.C.J 

Mumbai. 


Madam, 

ADVOCATE’S CERTIFICATE 


I, MIHIR DESAI Advocate for the Petitioner do hereby certify that 
the present Writ Petition is required to be place before the Division 
Bench as per the amended. Rule 636 (I ) (b) of the Bombay High 
Court, O.S Rules. Therefore the Writ Petition is required to be 
placed before the Division Bench. 


Dated this 


day of January 2012 


ik, 

^ -J/*» /t V l 

Advocate for the Petitioners 





